I am new to splunk and trying to determine how to setup an alert when a user in active directory is in two different AD groups. For example if a user is in group A and B alert. Anyone have some direction on how to achieve this?
Splunk Supporting Add-on for Active Directory includes the ldapsearch command. When properly configured for your AD domain(s), you can search for users in both groups with an appropriate LDAP filter:
| ldapsearch search="(&(objectCategory=person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=GroupA,ou=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=cn=GroupB,ou=Groups,DC=example,DC=com))"
Running as a scheduled search, you can trigger an alert when the result count is greater than 0.