https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623878#M14756 <LI-CODE lang="markup">source=WinEventLog:Security EventCode IN (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762, 4786, 4788) earliest=-7d@d | eval changed_by=mvindex(Security_ID, 0) | eval member_id=mvindex(Security_ID, 1) | eval group_id=mvindex(Security_ID, 2) | rex "A member was (?&lt;change_type&gt;(added|removed))" | eval host_name=coalesce(src_nt_host, dvc_nt_host, host) | rename EventCode as event_code EventCodeDescription AS event_desc | table _time host_name changed_by change_type group_id member_id event_code event_desc</LI-CODE> Fri, 09 Dec 2022 20:53:07 GMT johnhuang 2022-12-09T20:53:07Z https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623858#M14752 <P>Hi, I'm curious if anyone has a query that can help provide some insight into something I am trying to figure out.&nbsp; The issue is regarding a user that was not a member of the Admin's security group on 5/6/22 but did on 6/2/22.&nbsp; For the life of me, I cannot find out who added this user to that group.&nbsp; I'm using the following query, but it's not providing anything meaningful.&nbsp; Any help is solving this mystery is greatly appreciated.</P> <P>eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)<BR />| stats count by _time,Security_ID,EventCodeDescription,member_dn<BR />| rename member_dn as Change_Made_By</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 12 Dec 2022 15:01:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623858#M14752 itsmevic70 2022-12-12T15:01:29Z https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623877#M14755 <P>Have you tried event code 4728 or 4732?</P><P>As I understand it, the Subject.Account_Name field contains the name of the user added to the group.&nbsp; The user who made the change is in the Member.Account_Name field.&nbsp; I don't see the member_dn field documented.</P> Fri, 09 Dec 2022 20:36:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623877#M14755 richgalloway 2022-12-09T20:36:52Z https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623878#M14756 <LI-CODE lang="markup">source=WinEventLog:Security EventCode IN (4728, 4732, 4746, 4751, 4756, 4761, 4729, 4733, 4747, 4752, 4757, 4762, 4786, 4788) earliest=-7d@d | eval changed_by=mvindex(Security_ID, 0) | eval member_id=mvindex(Security_ID, 1) | eval group_id=mvindex(Security_ID, 2) | rex "A member was (?&lt;change_type&gt;(added|removed))" | eval host_name=coalesce(src_nt_host, dvc_nt_host, host) | rename EventCode as event_code EventCodeDescription AS event_desc | table _time host_name changed_by change_type group_id member_id event_code event_desc</LI-CODE> Fri, 09 Dec 2022 20:53:07 GMT https://community.splunk.com/t5/Splunk-Enterprise/Who-added-user-x-to-a-specific-AD-Security-Group/m-p/623878#M14756 johnhuang 2022-12-09T20:53:07Z