Getting Data In

How to investigate Domain Local (DL) and Windows group membership?

New Member


If we have Windows events and Active Directory (AD) is synced with Splunk, how can I search/investigate who modified a DL or who was added in an AD group and who added?

Is there any query? or how can I investigate this matter?

Appreciate any help.


0 Karma


There are several event codes that are generated when a group is modified. Look for 4728, 4729, 4732, 4733, 4756, or 4757.

If this reply helps you, an upvote would be appreciated.
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.