Getting Data In

How to investigate Domain Local (DL) and Windows group membership?

ambyadav
New Member

Team,

If we have Windows events and Active Directory (AD) is synced with Splunk, how can I search/investigate who modified a DL or who was added in an AD group and who added?

Is there any query? or how can I investigate this matter?

Appreciate any help.

Ambris.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are several event codes that are generated when a group is modified. Look for 4728, 4729, 4732, 4733, 4756, or 4757.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.