I'm having trouble writing a query in splunk to notify me when a user has been added to one or more groups in a specific ou. Here is what is in place and it was recommended to me to move it to splunk.
A batch file is run to query the users of the specific secure OU
dsquery group "OU=Secure,OU=Folder,,DC=Domaint" |dsget group -members -expand|dsget user -samid -office -display
This is exported out as a csv and cosume by a stanging table that runs a stored procedure to check for duplicate samid
From here SQL reporter emails out
Since all the groups start with the same name i.e. Secure* I can search and find a lot of usual information in the logs of splunk.
My Current search:
secure EventCode=4627
look for those event codes: 4728 4729 4732 4735 4737 4378 4756 4757
then write your own logic ...
i think there are plenty of answers in this forum regarding changes in groups with windows event codes
see here to get an idea of use cases and how to work with the event codes data:
https://answers.splunk.com/answers/222668/monitor-ad-group-changes.html
https://answers.splunk.com/answers/558526/find-out-who-changed-an-ad-account-password.html
https://answers.splunk.com/answers/132146/ad-user-groups.html
hope it helps
Have you looked at additional event codes, like 4728, 4732, 4756? Those logs would identify when a user is being added to a group. The only thing is that you will need the group names in a lookup.
Do you just want an alert/report daily/weekly etc to give you a list of the groups membership?
-or-
Do you just want the report if the membership changes?
@nickhillscpl Just an alert if the membership changes.