How to monitor specifics AD groups using Account_N...

marceloamorim · ‎04-20-2020

Hello Guys, I would like your help.

I need to monitor specifics AD Security Groups when someone is add to those groups, however, when I perform the following search using "Group_name", I have no results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Group_name:"Group_A"

When I perform a search using "Account_Name" I receive the results, however, Account_Name is used not only for group name, but for user who added the user account on the group and the user who was added. I cant create a table if one columm shows 3 kind of diferents results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Account_Name=Group_A

Look details below: You can notice that there are three differents values for Account_Name:

Subject:
Security ID: S-1-5-21-1659001184-1614895754-725345543-1010
Account Name: User who take action to add user account on the group
**Account Domain: XYZ
Logon ID: 0x30315A0B

Member:
Security ID: S-1-5-21-1659001184-1614895754-725345543-62020
Account Name: CN=UserX,OU=XYZ,OU=XYZ,OU=XYZ,OU=XYZ,DC=XYZ,DC=XYZ

Group:
Security ID: S-1-5-21-1659001184-1614895754-725345543-423030
Account Name: Group_A
Account Domain: XYZ

thx

How to monitor specifics AD groups using Account_Name?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation