- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitor AD Group Changes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor AD Group Changes?
Hi All,
Trying to understand how I can get the recent membership changes, query working for Domain Admins group. I want to see what there are changes (eithering adding or removing) users from the Domain Admins. Have tried a few queries but no results.
Wondering anyone out there could assist?
'group-changes-for-group("My Domain Name","Domain Admins")`
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you've got AD data coming in, you can run something like this. Have it set to run every 5 minutes, and send a notification if it detects a the windows log event. Your sed commands will vary based on your local structure.
index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now (Group_Name="*Domain Admins*" OR Group_Name="*Group2*")
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g"
| rex mode=sed field="Account_Name" "s/\\\//g"
| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name Account_Domain _time
| sort - _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I ask if you're using this to track Exchange distribution group changes?
Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just remove a member from a group, Exchange will remove and re-add the others...
Has anyone found a way to work around this?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try Splunk App for Windows Infra (https://apps.splunk.com/app/1680/). It has prebuilt dashboards for AD environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any free alternative to this, as it went out of support?
Many thanks.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
