Monitor AD Group Changes?

andybento · ‎03-13-2015

Hi All,

Trying to understand how I can get the recent membership changes, query working for Domain Admins group. I want to see what there are changes (eithering adding or removing) users from the Domain Admins. Have tried a few queries but no results.
Wondering anyone out there could assist?

'group-changes-for-group("My Domain Name","Domain Admins")`

Thanks,

Simon_Mantell · ‎04-25-2018

If you've got AD data coming in, you can run something like this. Have it set to run every 5 minutes, and send a notification if it detects a the windows log event. Your sed commands will vary based on your local structure.

index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now (Group_Name="*Domain Admins*" OR Group_Name="*Group2*")
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g" 
| rex mode=sed field="Account_Name" "s/\\\//g" 
| table "Actioned By"  "First Name"  "Last Name" Account_Name "Action Taken" Group_Name Account_Domain _time
| sort - _time

satishsdange · ‎03-15-2015

Please try Splunk App for Windows Infra (https://apps.splunk.com/app/1680/). It has prebuilt dashboards for AD environment.

Monitor AD Group Changes?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM