I have something working as a scheduled alert;
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Latest" | table cn splitted Zone _time
| append [ | search index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw | eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp = strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted Zone _time latest_timestamp ]
| stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp, values(latest_timestamp) AS latest_timestamp by splitted
| nomv Zone
| search Zone="Previous"
| eval t=now()
| eval t_earliest = (t - 86400 * 1)
| where latest_timestamp>t_earliest
It can likely be cleaned up, but this is working for both removals and additions of accounts. The query as is only pulls removals with the "Zone" field set to "Previous". It's set as a scheduled alert around 6am, and if results are > 0.
... View more