Monitor Active Directory Group Memberships
Situation:
We have a Users OU in AD that includes employees. There's a Contractors OU as well. Sometimes an employee gets accidentally put into the Contractors OU. Since they get enough access, they can reside in there indefinitely until somebody does an audit.
Is there a way that Sumo Logic could watch the Corp OU and report newly create user accounts and their corresponding OU?
Then we could see if a user was put into the Contractors OU who might have an AD attribute showing they are actually an employee (like a person number).
-
Hi Marc!
This query will give you the list contractor users created in the past 30 days:
https://service.sumologic.com/ui/#/search/OOxwieA2iNTG0Ul55unUktXEK6dzXOhTyjxlOma3
This is the query syntax I composed to get you the results:
_sourceCategory=security/prod/windows/domaincontroller*
| parse regex "CN=(?<MemberName>[^,]*),OU=(?<OU1>[^,]*),OU=(?<OU2>[^,]*),DC=omada,DC=me"
| where [subquery:
_sourceCategory=security/prod/windows/domaincontroller*
| parse "Display Name:*\n" as MemberName
| trim(MemberName) as MemberName
| parse "Message = \"*\n" as message
| parse "CategoryString = \"*\";" as category
| where message matches "A user account was created.*" and category = "User Account Management"
| compose MemberName]
| where OU1 matches "*Contractor*"
| fields -_raw
Feel free to take it further and expand as your find useful.
Do not hesitate to let me know if you have any questions I could help answer.Best regards,
Piotr Woch
Customer Success Manager
Please sign in to leave a comment.
Comments
1 comment