I have a rule that is not generating any splunk events when a user has been added/removed from my the AD groups created in CyberArk. I am not sure what i am missing. any ideas?
Could you please share the condition/logic of Use case so that i can implement the same in other SIEM tools
index=wineventlog earliest=-16m sourcetype="WinEventLog:Security" CyberArk_*_DGM ("EventCode=4756" OR "EventCode=4757") action=success | table _time, signature_id, signature, src_user, user_group, user, user_email
