is there a possibility, that i can create a Dashboard which shows me a list of AD Members who were added to a group?
I see the EventID 4627 out of the Category Group Membership but there are just the SID´s. Can Graylog lookup these ID´s and compare it to show me a list i can read^^ so that I have an overview about who where added to which group?
I am running Graylog (open) v4.2.7 and the Inputs are GELF-UDP
What are you using to ship the logs form the windows machines? Beats? Nxlog? I am not sure how the logs look when shipped to a GELP input… can you post an example message? Does GELF break out fields for you? There are several eventID’s that could occur when a user is added to a group that you have to take into account (4732, 4728, 4756, 4746, 4751, 4761) Here is a quick link to a cheat sheet where you can find more detail… or full details at ultimate windows security encyclopedia
I have winlogbeats on the windows side going to a beats input. When a user is added to a group I will get the full eventlog and broken out fields such as:
User added (distinguished name):
Group added to:
winlog_event_data_TargetUserName: Domain Admins
If GELF doesn’t’ have that you may want to consider switching to a more helpful beats environment… if the need for that data exceeds the cost of changing…
thanks for your input but i dont had time to try it…and now we have a workshop… and after that i will go to holidays. I will try it after that.
No worries - let us know how it turns out when you get to it!
I could´t resist to try it befor we drive to denmark With winlogbeat it looks way different and i think thats the way i want. I will kill all GELF inputs and replace them against winlogbeat.