Getting Data In

Audit who makes changes to Active Directory

New Member


I'm looking into using Splunk to report on Active Directory. I've installed the free edition on a test domain & set it up to monitor the directory schema. It seems to be picking up events but I'm unable to find any information about who makes changes (e.g. account create/delete) - is this possible at all?

Thanks in advance for any advice

0 Karma


You should install and look at this app first :


0 Karma

New Member

Hi there,

I know this is an old thread but I am having the same issue as above.
I have installed the windows security operations center app but it doesn't display which user made the changes to an AD object. I have tested Netwrix and that application can find the user details with no problem (so I know it is not an auditing settings problem)
Any help would be much appreciated.


Mark B

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!