Monitor AD Group Changes?

andybento · ‎03-13-2015

Hi All,

Trying to understand how I can get the recent membership changes, query working for Domain Admins group. I want to see what there are changes (eithering adding or removing) users from the Domain Admins. Have tried a few queries but no results.
Wondering anyone out there could assist?

'group-changes-for-group("My Domain Name","Domain Admins")`

Thanks,

Simon_Mantell · ‎04-25-2018

If you've got AD data coming in, you can run something like this. Have it set to run every 5 minutes, and send a notification if it detects a the windows log event. Your sed commands will vary based on your local structure.

index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now (Group_Name="*Domain Admins*" OR Group_Name="*Group2*")
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g" 
| rex mode=sed field="Account_Name" "s/\\\//g" 
| table "Actioned By"  "First Name"  "Last Name" Account_Name "Action Taken" Group_Name Account_Domain _time
| sort - _time

bmartins-

May I ask if you're using this to track Exchange distribution group changes?

Based on my testing, and thanks a lot for sharing your query, it generates a lot of events, because, even if you just remove a member from a group, Exchange will remove and re-add the others...

Has anyone found a way to work around this?

Cheers!

satishsdange · ‎03-15-2015

Please try Splunk App for Windows Infra (https://apps.splunk.com/app/1680/). It has prebuilt dashboards for AD environment.

bmartins-

Is there any free alternative to this, as it went out of support?

Many thanks.

Monitor AD Group Changes?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?