Monitor Active Directory Group Memberships

Follow
Avatar
Marc David

Situation:

We have a Users OU in AD that includes employees.  There's a Contractors OU as well.  Sometimes an employee gets accidentally put into the Contractors OU.  Since they get enough access, they can reside in there indefinitely until somebody does an audit.

Is there a way that Sumo Logic could watch the Corp OU and report newly create user accounts and their corresponding OU?

Then we could see if a user was put into the Contractors OU who might have an AD attribute showing they are actually an employee (like a person number).

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Piotr

    Hi Marc!

    This query will give you the list contractor users created in the past 30 days:

    https://service.sumologic.com/ui/#/search/OOxwieA2iNTG0Ul55unUktXEK6dzXOhTyjxlOma3

    This is the query syntax I composed to get you the results:

    _sourceCategory=security/prod/windows/domaincontroller*
    | parse regex "CN=(?<MemberName>[^,]*),OU=(?<OU1>[^,]*),OU=(?<OU2>[^,]*),DC=omada,DC=me"
    | where [subquery:
    _sourceCategory=security/prod/windows/domaincontroller*
    | parse "Display Name:*\n" as MemberName
    | trim(MemberName) as MemberName
    | parse "Message = \"*\n" as message
    | parse "CategoryString = \"*\";" as category
    | where message matches "A user account was created.*" and category = "User Account Management"
    | compose MemberName]
    | where OU1 matches "*Contractor*"
    | fields -_raw

    Feel free to take it further and expand as your find useful.

    Do not hesitate to let me know if you have any questions I could help answer.

    Best regards,

    Piotr Woch

    Customer Success Manager

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post