Hi, I am a new product marketing person at SolarWinds and I'm sorry I don't know this answer. I've reached out to some technical folks, though, and pointed them at your post, so hopefully we can help you out.
In your LEM console, click build then rules.
Look in the left column under folders and find "Rule Library" open this up and underneath you will see a "Windows/Active Directory" category. All rules you need for monitoring any group changes/deletions will be located here.
Click the gear wheel on the rule you want to use, select "Clone". This will place the rule in the "Custom Rules" folder. Go there and edit the rule making changes you want such as who gets notified, etc. Click apply, then save and don't forget to activate the rule.
Those templates for rules will also be useful when trying to create filters - it will be the same logic that you can use there.
The Auditable Group Events group SHOULD be catching when a user is added/removed from a group, a property change (like the name) is made to that group, that sort of thing. If you're not seeing those events, you might also want to check your domain/local audit policy and make sure those changes are being audited, and then your event log rotation to make sure it's not full or dropping events.
Another approach might be to create a filter that shows you ALL activity from that device (Any Alert.DetectionIP = <that system>) and see everything that's coming in. If you're auditing login activity that might be overwhelming, so you could narrow it to something like "Change Management Events.DetectionIP = <that system>" too.
And, lastly, you could use nDepth to historically search for those group events - from the filter you've got built, hit the left gear and use "send to nDepth". You can expand the timeframe on the right and hit the Play button again to search back through your data farther. That might help identify if there have been any at all.
1 of 1 people found this helpful
Thanks for the help guys. Did some more digging on our DC's also and found a buried Advanced Audit Configuration we missed. We over looked the DS access and change the policies to Success for Audit Directory Service Access and Audit Directory Service Changes. Thought we had this enabled on a higher level but didn't see this till we drilled even deeper.
You'll also want to make sure you have the LEM agent on all of your DC's.