mirror of https://gitlab.com/curben/blog
832 B
832 B
| title | layout | date |
|---|---|---|
| Protected Group Monitoring | page | 2025-07-27 |
Description: Monitor new account with adminCount=1. References: 1, 2, 3 SPL:
index="ldapsearch" destCsv="hourly_adminCount.csv" adminCount=1
| join type=left sAMAccountName domain
[ | inputlookup ad_users.csv
| search adminCount=1
| rename adminCount AS wasAdmin
| table sAMAccountName domain wasAdmin]
| search NOT wasAdmin=1
| rename domain AS Domain, sAMAccountName AS User, displayName AS Name, mail AS Email
| table Domain, User, Name, Email