https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/511413#M11660 <P>How can I use Splunk to alert / run reports on group member changes?</P><P>Currently I have something I wrote that reads group members from AD, stores in DB then runs a differential.&nbsp; Seems like splunk would be ideal for this. Is there a way to run a search and diff from the previous run?</P> Fri, 31 Jul 2020 14:14:59 GMT ntripp_element 2020-07-31T14:14:59Z https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/511413#M11660 <P>How can I use Splunk to alert / run reports on group member changes?</P><P>Currently I have something I wrote that reads group members from AD, stores in DB then runs a differential.&nbsp; Seems like splunk would be ideal for this. Is there a way to run a search and diff from the previous run?</P> Fri, 31 Jul 2020 14:14:59 GMT https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/511413#M11660 ntripp_element 2020-07-31T14:14:59Z https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/511942#M11663 <P>bump?</P> Fri, 31 Jul 2020 14:57:04 GMT https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/511942#M11663 ntripp_element 2020-07-31T14:57:04Z https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512626#M11676 <P>Yes you can. You can bring your AD logs to Splunk using the following app</P><P><A href="#https://splunkbase.splunk.com/app/742/" target="_self">Splunk App For Windows</A>&nbsp;</P><P>Using ldapsearch command, and with a bit of SPL magic, you can customise the data that you want to pull from AD.</P><P>Since Splunk will store your old, as well as new data, you can easily compare them and schedule alerts, reports, create tickets in a ITSM ticketing tool like Servicenow, Remedy etc and much more.</P><P>Hope this helps,</P><P>S</P><P>Note: If it helped, please mark this as an accepted answer.</P><P>&nbsp;</P> Wed, 05 Aug 2020 18:39:34 GMT https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512626#M11676 shivanshu1593 2020-08-05T18:39:34Z https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512627#M11677 <P>yes i already was able to pull the information. the other things you referenced I do not follow. I'm really trying to get a little more information on the how ...</P> Wed, 05 Aug 2020 18:41:55 GMT https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512627#M11677 ntripp_element 2020-08-05T18:41:55Z https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512631#M11679 <P>If you can give some sample data, which has the data of pre and post group changes, we can help you to build the search.</P><P>I believe an EventCode is being generated, everytime there's some changes in the OU. Like 4727 for a group creation, 4728 when a member is added, 4729 if a member is removed and so on.</P><P>If that's the case, I'd look out for those eventcodes and use the table command to pipe the required values in tabular format.</P><P>Again, some sample data and more light on what you want to achieve will be helpful.</P><P>Thanks,</P><P>S</P> Wed, 05 Aug 2020 19:07:48 GMT https://community.splunk.com/t5/Security/LDAP-Search-Active-Directory-App-Monitor-Changes/m-p/512631#M11679 shivanshu1593 2020-08-05T19:07:48Z