I'm having trouble writing a query in splunk to notify me when a user has been added to one or more groups in a specific ou. Here is what is in place and it was recommended to me to move it to splunk.
A batch file is run to query the users of the specific secure OU
dsquery group "OU=Secure,OU=Folder,,DC=Domaint" |dsget group -members -expand|dsget user -samid -office -display
This is exported out as a csv and cosume by a stanging table that runs a stored procedure to check for duplicate samid
From here SQL reporter emails out
Since all the groups start with the same name i.e. Secure* I can search and find a lot of usual information in the logs of splunk.
My Current search:
secure EventCode=4627
... View more