Hello Guys, I would like your help.
I need to monitor specifics AD Security Groups when someone is add to those groups, however, when I perform the following search using "Group_name", I have no results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Group_name:"Group_A"
When I perform a search using "Account_Name" I receive the results, however, Account_Name is used not only for group name, but for user who added the user account on the group and the user who was added. I cant create a table if one columm shows 3 kind of diferents results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Account_Name=Group_A
Look details below: You can notice that there are three differents values for Account_Name:
Subject:
Security ID: S-1-5-21-1659001184-1614895754-725345543-1010
Account Name: User who take action to add user account on the group
**Account Domain: XYZ
Logon ID: 0x30315A0B
Member:
Security ID: S-1-5-21-1659001184-1614895754-725345543-62020
Account Name: CN=UserX,OU=XYZ,OU=XYZ,OU=XYZ,OU=XYZ,DC=XYZ,DC=XYZ
Group:
Security ID: S-1-5-21-1659001184-1614895754-725345543-423030
Account Name: Group_A
Account Domain: XYZ
thx