Getting Data In

How to monitor specifics AD groups using Account_Name?

New Member

Hello Guys, I would like your help.

I need to monitor specifics AD Security Groups when someone is add to those groups, however, when I perform the following search using "Groupname", I have no results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) Group

When I perform a search using "AccountName" I receive the results, however, AccountName is used not only for group name, but for user who added the user account on the group and the user who was added. I cant create a table if one columm shows 3 kind of diferents results.
index=main (EventCode=4756 OR EventCode=4728 OR EventCode=4732) AccountName=GroupA

Look details below: You can notice that there are three differents values for Account_Name:

Security ID: S-1-5-21-1659001184-1614895754-725345543-1010
Account Name: User who take action to add user account on the group
**Account Domain: XYZ

Logon ID: 0x30315A0B

Security ID: S-1-5-21-1659001184-1614895754-725345543-62020

Security ID: S-1-5-21-1659001184-1614895754-725345543-423030
Account Name: Group_A
Account Domain: XYZ


0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.