×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
beastpc
Loves-to-Learn
Member since: ‎08-04-2022
‎08-05-2022
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-04-2022
View All

Local Admin: How to check if a user has not been a...

by in Splunk Search
‎08-04-2022 11:04 PM
‎08-04-2022 11:04 PM
Hi what would be the best way to check if after a user has been added to a group, they have not been removed from the same group within say 24 hours.  I currently have a search that provides a table that shows group additions and group removals using winevent index. What is the best way to find events where there has been an addition but no removal for the same group and user added within 24 hours. I started to look at | transaction but I don't feel this is correct as I am interested if there has not been a removal after a time period. Failing this if anyone has an alternate solution to alert when a user has been added and not removed from a group within a time period that would be much appreciated. Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-05-2022 01:29 PM