Dashboard Query: User Added to Security Group

Document created by Spencer Engleson Employee on Oct 27, 2016Last modified by Spencer Engleson Employee on Oct 27, 2016
Version 2Show Document
  • View in full screen mode

These queries show users who have been added to various security groups.  There are several variants of this query, explained below.


Log Set: Active Directory Admin Activity

Event Source: Active Directory


User Added to Security Group

This query shows all users who have been added to a security group.  Recommended visualization option is a table (the "Count" column is the total number of events for the target user that have occurred in the selected time range):


     where(action="MEMBER_ADDED_TO_SECURITY_GROUP") groupby(target_user)



Note that you can change the groupby from target_user to source_user to show all users who are responsible for adding others to security groups, rather than the users who were added to the groups.


User Added to Administrator Group

This query uses RegEx to find users who have been added to a group that contains "admin".


     where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group=/.*admin.*/) groupby(target_user)



User Adding others to Administrator Group

By switching the groupby to source_user, we can change the table to show which administrators are adding other users to administrator groups:


     where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group=/.*admin.*/) groupby(source_user)


Users Added to Security Group Trend over Time

To see a trend over time for forced password resets, utilize a count function, a timeline chart, and a longer time range to show the number of forced password resets over time:

     where(action="MEMBER_ADDED_TO_SECURITY_GROUP") calculate(count)