Active Directory - How to alert upon new group mem...

mcrawford44 · ‎08-28-2014

Per the title, How would one go about creating an alert that triggered on a new group member in Active Directory.

I understand you can trigger on event counts, however can you trigger on an addition over historical counts?

I'm currently playing around with a query that will display records within a short window of time behind the current time ( say 1-10 minutes ), and if the count of this > 1 it would trigger an email alert.

I'm curious if there is a better way to do this.

Thanks!

scottsavaresevi · ‎08-28-2014

Do a google search for microsoft event 4728 (I don't have enough Karma to post external links... sorry). Its the event for new users to security groups. If you send your AD logs into splunk you should be able to search for those events in Splunk. Then create an alert based on the appearance of that action. I found these instructions that can help you set an alert up. http://docs.splunk.com/Documentation/Splunk/6.1.3/Alert/Alertexamples

Hope that helps.

mcrawford44 · ‎08-28-2014

I should have specified we are only indexing the active directory structure with admon. There are no forwarders on the domain controllers.

brooklynotss · ‎08-11-2015

see my answer to similar question here: http://answers.splunk.com/answers/132146/ad-user-groups.html#answer-294619

Active Directory - How to alert upon new group member?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!