Hi there,
I'd like to create a search to look for group membership changes in active directory.
So far I've created this search:
| tstats dc(All_Changes.user) as Useraccounts from datamodel=Change where All_Changes.result_id="4732" OR All_Changes.result_id="4733" by All_Changes.dest All_Changes.action All_Changes.result
which provides me results:
user account blabla added to group
user account blabla removed from group
etc
However, I'd like to refine this search more to actually be able to determine if a user has been added to a particular privileged group and removed from that same group within a specific time frame, for instance within an hour.
Thanks in advance
Erik
Check out the "Short-lived Admin Accounts" use case in the Splunk Security Essentials app.