Hey All,
I am attempting to write a search that looks for AD group add/removals for specific groups executed by specific users.
I would like to use a lookup list for the AD group names but am a little unsure the best way to write the search. My results should be any group modifications for any of the groups listed in the lookup not performed by a single account.
This is what I have so far:
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| search SubjectAcct!=ACCT AND Group_Name="GROUP"
| table _time name Group_Name SubjectAcct TargetAcct
... View more