https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647574#M224134 <P>Hello Folks,</P> <P>Needed help with index based search for any user being added to multiple windows groups (preferably more then count of 5) in a time span of 15 mins .</P> <P>Thank you</P> Tue, 20 Jun 2023 13:41:14 GMT john-doe 2023-06-20T13:41:14Z https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647574#M224134 <P>Hello Folks,</P> <P>Needed help with index based search for any user being added to multiple windows groups (preferably more then count of 5) in a time span of 15 mins .</P> <P>Thank you</P> Tue, 20 Jun 2023 13:41:14 GMT https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647574#M224134 john-doe 2023-06-20T13:41:14Z https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647576#M224135 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256134">@john-doe</a>,</P><P>at first, you have to check if your Domain Controller is logging EventCodes 4728 (A member was added to a security-enabled global group) and 4732 (A member was added to a security-enabled local group) and you're taking these EventCodes in your Splunk.</P><P>If yes, you can run a simple search like the following:</P><LI-CODE lang="markup">index=wineventlog EventCode IN (4728,4732) | stats count dc(ComputerName) AS ComputerName_count BY user | where ComputerName_count&gt;1</LI-CODE><P>Obviously you can choose a different threeshold in the last row.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 20 Jun 2023 10:53:36 GMT https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647576#M224135 gcusello 2023-06-20T10:53:36Z https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647580#M224136 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a></P><P>I think your query will give me user added in particular groups on distinct hosts.</P><P>For checking if a user was added in multiple groups in15 min time span how can I modify your query ?&nbsp; How can I use span or maxspan ?</P><P>&nbsp;</P><P>I was working on something like this below. Not sure how to add the time factor check in there..</P><P>&nbsp;</P><LI-CODE lang="markup">index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" | stats count values(Group_Name) by Subject_Account_Name, Member_Security_ID | where count &gt;= 20 </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 20 Jun 2023 11:32:34 GMT https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647580#M224136 john-doe 2023-06-20T11:32:34Z https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647585#M224138 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/256134">@john-doe</a>,</P><P>you can add the time factor:</P><P>if you want an alert: defining the time monitoring period, e.g. every 15 minutes using the search you shared.</P><P>if instead you want to trace the distinct count of Subject_Accoun_Names registered in more groups, depending on time (e.g. every hour), you could use:</P><LI-CODE lang="markup">index=windows EventCode IN ("4728", "4756", "4732") Subject_Account_Name !="*$" | bin span=1h _time | chart dc(Group_Name) AS Group_Name_count BY _time Subject_Account_Name | where Group_Name_count&gt;= 20 </LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 20 Jun 2023 11:56:40 GMT https://community.splunk.com/t5/Splunk-Search/Index-based-search-for-user-being-added-to-multiple-windows/m-p/647585#M224138 gcusello 2023-06-20T11:56:40Z