Dashboard: Added Members to AD Group

Hi,

is there a possibility, that i can create a Dashboard which shows me a list of AD Members who were added to a group?

I see the EventID 4627 out of the Category Group Membership but there are just the SID´s. Can Graylog lookup these ID´s and compare it to show me a list i can read^^ so that I have an overview about who where added to which group?

I am running Graylog (open) v4.2.7 and the Inputs are GELF-UDP

THX
Hank

What are you using to ship the logs form the windows machines? Beats? Nxlog? I am not sure how the logs look when shipped to a GELP input… can you post an example message? Does GELF break out fields for you? There are several eventID’s that could occur when a user is added to a group that you have to take into account (4732, 4728, 4756, 4746, 4751, 4761) Here is a quick link to a cheat sheet where you can find more detail… or full details at ultimate windows security encyclopedia

I have winlogbeats on the windows side going to a beats input. When a user is added to a group I will get the full eventlog and broken out fields such as:

User added (distinguished name):
winlog_event_data_MemberName:CN=Tmacgbay,OU=this,OU=that,OU=mainOUgroup,OU=allOUs,DC=domain,DC=tld

Group added to:
winlog_event_data_TargetUserName: Domain Admins

If GELF doesn’t’ have that you may want to consider switching to a more helpful beats environment… if the need for that data exceeds the cost of changing…

Hi,

thanks for your input but i dont had time to try it…and now we have a workshop… and after that i will go to holidays. I will try it after that.

thx

No worries - let us know how it turns out when you get to it!

I could´t resist to try it befor we drive to denmark :smiley: With winlogbeat it looks way different and i think thats the way i want. I will kill all GELF inputs and replace them against winlogbeat.

2 Likes