Getting Data In

Audit who makes changes to Active Directory

New Member


I'm looking into using Splunk to report on Active Directory. I've installed the free edition on a test domain & set it up to monitor the directory schema. It seems to be picking up events but I'm unable to find any information about who makes changes (e.g. account create/delete) - is this possible at all?

Thanks in advance for any advice

0 Karma


You should install and look at this app first :


0 Karma

New Member

Hi there,

I know this is an old thread but I am having the same issue as above.
I have installed the windows security operations center app but it doesn't display which user made the changes to an AD object. I have tested Netwrix and that application can find the user details with no problem (so I know it is not an auditing settings problem)
Any help would be much appreciated.


Mark B

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...