I'm looking into using Splunk to report on Active Directory. I've installed the free edition on a test domain & set it up to monitor the directory schema. It seems to be picking up events but I'm unable to find any information about who makes changes (e.g. account create/delete) - is this possible at all?
I know this is an old thread but I am having the same issue as above.
I have installed the windows security operations center app but it doesn't display which user made the changes to an AD object. I have tested Netwrix and that application can find the user details with no problem (so I know it is not an auditing settings problem)
Any help would be much appreciated.