If we have Windows events and Active Directory (AD) is synced with Splunk, how can I search/investigate who modified a DL or who was added in an AD group and who added?
Is there any query? or how can I investigate this matter?
Appreciate any help.
There are several event codes that are generated when a group is modified. Look for 4728, 4729, 4732, 4733, 4756, or 4757.