How to optimize alerts for changes made to the Adm...

Getting Data In

Hello,

One of our MF Local Administrative Group Member rule is generating a significant number of alerts because sccmadmin group removed from MF member server, assistance is needed in refining this search to minimize unnecessary alerts.

index=foo sourcetype=XmlWinEventLog (EventCode=4732) dest="mf" user!="nt service"
NOT (EventCode="4732" src_user="root" MemberSid="Domain Admins" Group_Name="Administrators")
NOT (EventCode="4732" MemberSid="NT SERVICE\\*" (Group_Name="Administrators" OR Group_Name="Remote Desktop Users"))
| eval user=lower(MemberSid)
| eval src_user=lower(src_user)
| stats values(user) as user, values(Group_Domain) as Group_Domain, values(dest) as dest by src_user,Group_Name,EventCode,signature _time

Thanks...

Get Updates on the Splunk Community!

How to optimize alerts for changes made to the Administrators group in "MF Local Admin Group Member Changes"

data

host

other

source

sourcetype

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?