<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Guid</span>
<span class="pill kill-chain">IMPHASH</span>
<span class="pill kill-chain">MD5</span>
<span class="pill kill-chain">Name</span>
<span class="pill kill-chain">ProcessID</span>
<span class="pill kill-chain">SHA256</span>
<span class="pill kill-chain">SystemTime</span>
<span class="pill kill-chain">ThreadID</span>
<span class="pill kill-chain">UserID</span>
<span class="pill kill-chain">admonEventType</span>
<span class="pill kill-chain">cn</span>
<span class="pill kill-chain">dSCorePropagationData</span>
<span class="pill kill-chain">dcName</span>
<span class="pill kill-chain">displayName</span>
<span class="pill kill-chain">distinguishedName</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">gPCMachineExtensionNames</span>
<span class="pill kill-chain">guid_lookup</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">instanceType</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">name</span>
<span class="pill kill-chain">objectCategory</span>
<span class="pill kill-chain">objectClass</span>
<span class="pill kill-chain">objectGUID</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">uSNChanged</span>
<span class="pill kill-chain">uSNCreated</span>
<span class="pill kill-chain">whenChanged</span>
<span class="pill kill-chain">whenCreated</span>
<span class="pill kill-chain">xmlns</span>
</div>
Data Source: Windows Active Directory Admon
Description
Logs administrative actions within Active Directory, including user and group modifications, permission changes, and policy updates.
Details
| Property | Value |
|---|---|
| Source | ActiveDirectory |
| Sourcetype | ActiveDirectory |
Supported Apps
- Splunk Add-on for Microsoft Windows (version 9.0.1)
Event Fields
Fields
Example Log
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-28T19:31:14.812003000Z'/><EventRecordID>362027</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='160'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-2$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0xa44</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x7a0</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
Source: GitHub | Version: 2