Data Source: Windows Active Directory Admon

Description

Logs administrative actions within Active Directory, including user and group modifications, permission changes, and policy updates.

Details

Property Value
Source ActiveDirectory
Sourcetype ActiveDirectory

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Guid</span>
  
  <span class="pill kill-chain">IMPHASH</span>
  
  <span class="pill kill-chain">MD5</span>
  
  <span class="pill kill-chain">Name</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">SHA256</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">UserID</span>
  
  <span class="pill kill-chain">admonEventType</span>
  
  <span class="pill kill-chain">cn</span>
  
  <span class="pill kill-chain">dSCorePropagationData</span>
  
  <span class="pill kill-chain">dcName</span>
  
  <span class="pill kill-chain">displayName</span>
  
  <span class="pill kill-chain">distinguishedName</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">gPCMachineExtensionNames</span>
  
  <span class="pill kill-chain">guid_lookup</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">instanceType</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">objectCategory</span>
  
  <span class="pill kill-chain">objectClass</span>
  
  <span class="pill kill-chain">objectGUID</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">uSNChanged</span>
  
  <span class="pill kill-chain">uSNCreated</span>
  
  <span class="pill kill-chain">whenChanged</span>
  
  <span class="pill kill-chain">whenCreated</span>
  
  <span class="pill kill-chain">xmlns</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-28T19:31:14.812003000Z'/><EventRecordID>362027</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='160'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-2$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0xa44</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x7a0</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>

Source: GitHub | Version: 2