Cyberark user adds/removed not firing in splunk

Path Finder

I have a rule that is not generating any splunk events when a user has been added/removed from my the AD groups created in CyberArk. I am not sure what i am missing. any ideas?

Tags (1)
0 Karma

Could you please share the condition/logic of Use case so that i can implement the same in other SIEM tools

0 Karma


index=wineventlog earliest=-16m sourcetype="WinEventLog:Security" CyberArk*DGM ("EventCode=4756" OR "EventCode=4757") action=success | table time, signatureid, signature, srcuser, usergroup, user, user_email

0 Karma