Getting Data In

How can I capture when members are removed from domain admins group?

Path Finder

I am trying to identify when a member has been removed from security enabled groups such as domain admins, using index=wineventlog eventt_id=4729 but i am not finding anything with Group Name=Domain Admins?

0 Karma


Are you pulling in the logs in XML format?
For non XML the field is Group_Name for Event ID 4729 (at least in my setup which should be the standard Windows TA).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!