Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitor AD Group Changes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitor AD Group Changes?
Hi All,
Trying to understand how I can get the recent membership changes, query working for Domain Admins group. I want to see what there are changes (eithering adding or removing) users from the Domain Admins. Have tried a few queries but no results.
Wondering anyone out there could assist?
'group-changes-for-group("My Domain Name","Domain Admins")`
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you've got AD data coming in, you can run something like this. Have it set to run every 5 minutes, and send a notification if it detects a the windows log event. Your sed commands will vary based on your local structure.
index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now (Group_Name="*Domain Admins*" OR Group_Name="*Group2*")
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g"
| rex mode=sed field="Account_Name" "s/\\\//g"
| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name Account_Domain _time
| sort - _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May I ask if you're using this to track Exchange distribution group changes?
Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just remove a member from a group, Exchange will remove and re-add the others...
Has anyone found a way to work around this?
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try Splunk App for Windows Infra (https://apps.splunk.com/app/1680/). It has prebuilt dashboards for AD environment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any free alternative to this, as it went out of support?
Many thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
