So if you want to know when a User is added to a group you have to search for the EventCode 4728 and it's removed EventCode 4729. Now you can create a search like the following: index=wineventlog EventCode IN (4728,4729) | stats values(eval(if(EventCode=4728),ho...
index=wineventlog (EventCode=4728 OR EventCode=4756) | table _time Account_name EventCode EventDescription please check the Account_name field, it could be different (e.g. user) Ciao. Giuseppe 0 Karma Reply Get Updates on the Splunk Community! Enterprise Security Content Update...
WinEventLog:Security 4744, 4749, 4750, 4759 Change.Account_Management Change.All_Changes Source EventCode Previous CIM model New CIM model XmlWinEventLog:Security 4706, 4713, 4876 Change.All_Changes XmlWinEventLog:Security 4744, 4749, 4750, 4759 Change.Account_Management Change.All_Changes ...
My search for a user being added to an Active Directory group is index=ad EventCode=4728 Group_Name="myapp_users" I have tried the following searches that provide me with data but I can't figure out the next step to show where my objective is met (i.e. where the user didn't get ...
Edit: After working with Splunk support, this issue is fixed in TA version 8.5.0. I recently upgraded our Windows TA from 8.0.0 to 8.2.0. I've noticed that with the Event IDs relating to users being removed or added to groups (4728, 4729, 4732) the user removed or added is l...
[WinEventLog://Security] disabled = 0 renderXml = 1 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 sourcetype = XmlWinEventLog index = ad whitelist1=4624,4769,4728,4732,4756,4761,4751,4746 # This stanza will send all events for the event_code 21...