I am looking to monitor specific AD user groups and want to create a search that alerts me to when the members of these group perform a login. How do I pull that information?
Sorry, my question was not clear - Active Directory user group perform login on Windows
See my answer below and let me know if that helps
Perform a login in Splunk or perform a login on a Windows machine?
If Splunk:
Use the internal logs to monitor when a login success happens
index=_internal sourcetype=splunk_web_service user=* action="login" status="success"
Find if the user belongs to those groups via the ldap commands
If Windows:
Useful links:
Hope that helps.
Thanks,
J
How to monitor specific Active Directory user groups, and set up a search to alert when members of these groups perform a login on Active Directory