I have a rule that is not generating any splunk events when a user has been added/removed from my the AD groups created in CyberArk. I am not sure what i am missing. any ideas?
Could you please share the condition/logic of Use case so that i can implement the same in other SIEM tools
index=wineventlog earliest=-16m sourcetype="WinEventLog:Security" CyberArk*DGM ("EventCode=4756" OR "EventCode=4757") action=success | table time, signatureid, signature, srcuser, usergroup, user, user_email