https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Membership-information/m-p/647684#M224155 <P>Hi All</P> <P>i have an unified group(i.e office365 unified group) created from Office365.&nbsp; i want to know membership details i.e who has added/removed users to this group. This group will also be visible in Azure AD. i can check audit logs in Azure AD and it shows only for a month. i am trying below splunk query to fetch membership information from both Azure AD and office365 but i am not getting output. <A href="mailto:ug@contoso.com" target="_blank" rel="noopener">ug@contoso.com&nbsp;</A>is my group&nbsp; name</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">sourcetype=azure*:management:activity (Operation="*Change user*" OR Operation="*Update user*") ObjectId="*ug@contoso.com*" (UserId!="Certificate" AND UserId!="ServicePrincipal*" AND UserId!="Sync*") (ModifiedProperties{}.NewValue!=" " AND ModifiedProperties{}.OldValue!=" ") | rename ModifiedProperties{}.NewValue AS ModAdd | rename ModifiedProperties{}.OldValue AS ModRem | rename UserId AS "Actioned By" | rename Operation AS "Action" | rename ObjectId AS "Member" | sort -_time | table _time, ModAdd, ModRem, "Action", Member, "Actioned By"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Jun 2023 05:45:37 GMT risingflight143 2023-06-22T05:45:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Membership-information/m-p/647684#M224155 <P>Hi All</P> <P>i have an unified group(i.e office365 unified group) created from Office365.&nbsp; i want to know membership details i.e who has added/removed users to this group. This group will also be visible in Azure AD. i can check audit logs in Azure AD and it shows only for a month. i am trying below splunk query to fetch membership information from both Azure AD and office365 but i am not getting output. <A href="mailto:ug@contoso.com" target="_blank" rel="noopener">ug@contoso.com&nbsp;</A>is my group&nbsp; name</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">sourcetype=azure*:management:activity (Operation="*Change user*" OR Operation="*Update user*") ObjectId="*ug@contoso.com*" (UserId!="Certificate" AND UserId!="ServicePrincipal*" AND UserId!="Sync*") (ModifiedProperties{}.NewValue!=" " AND ModifiedProperties{}.OldValue!=" ") | rename ModifiedProperties{}.NewValue AS ModAdd | rename ModifiedProperties{}.OldValue AS ModRem | rename UserId AS "Actioned By" | rename Operation AS "Action" | rename ObjectId AS "Member" | sort -_time | table _time, ModAdd, ModRem, "Action", Member, "Actioned By"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Jun 2023 05:45:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Membership-information/m-p/647684#M224155 risingflight143 2023-06-22T05:45:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Membership-information/m-p/647718#M224164 <P>To obtain help from volunteers, you will first need to post sample data (anonymize as needed) that can support your belief that the search <EM>should</EM> return output. &nbsp;If the logic is not obvious, you also need to explain your logic between raw data and your expected output.</P> Wed, 21 Jun 2023 07:26:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-Membership-information/m-p/647718#M224164 yuanliu 2023-06-21T07:26:03Z