Hi,
I am trying to use the Splunk for AD app to find who has modified a user account. However, the default dashboards do not give me any idea which admin made the change.
Is there a specific search that I could use?
Hi,
I've been struggling with the same question for a while. For example who changed a specific user attribute (we're talking about the data in the msad index, which come from splunk-admon).
It looks like the Active Directory doesn't provide any "who changed" field.
You can take a look at a discussion about it here:
link text
Actually that should be an enhancement to the next splunk AD app / Forwarder. I mean, maybe adding a feature to the forwarder to makes it possible to catch the identity of the person doing the changes, like other AD monitoring software also do.
Does that answer your question ?