How to monitor specifics AD groups using Account_N...

marceloamorim · ‎04-20-2020

Hello Guys, I would like your help.

I need to monitor specifics AD Security Groups when someone is add to those groups, however, when I perform the following search using "Group_name", I have no results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Group_name:"Group_A"

When I perform a search using "Account_Name" I receive the results, however, Account_Name is used not only for group name, but for user who added the user account on the group and the user who was added. I cant create a table if one columm shows 3 kind of diferents results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Account_Name=Group_A

Look details below: You can notice that there are three differents values for Account_Name:

Subject:
Security ID: S-1-5-21-1659001184-1614895754-725345543-1010
Account Name: User who take action to add user account on the group
**Account Domain: XYZ
Logon ID: 0x30315A0B

Member:
Security ID: S-1-5-21-1659001184-1614895754-725345543-62020
Account Name: CN=UserX,OU=XYZ,OU=XYZ,OU=XYZ,OU=XYZ,DC=XYZ,DC=XYZ

Group:
Security ID: S-1-5-21-1659001184-1614895754-725345543-423030
Account Name: Group_A
Account Domain: XYZ

thx

How to monitor specifics AD groups using Account_Name?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to monitor specifics AD groups using Account_Name?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!