I'm relatively new to splunk, and am working to do some auditing of sensitive groups within our active directory.
I've tried a few variation of this: sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757) user=userID
I was able to find all changes to these cgroups using: sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757) (user_group="secure_group_alpha" OR user_group="secure_group_beta)" | table EventCode, EventCodeDescription, user_group, user, src_user | rename EventCodeDescription as "Description", user_group as "Group Changed", user as "User Added/Removed", src_user as "Changed By"
But I'm hoping to get more specific