Your organization uses Windows Security Event logs to detect user group modifications that have not followed the appropriate procedures. You want to collect these logs in Splunk so you can analyze them against your organization’s incident register to ensure that each user modification has an associated incident record.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=wineventlog:security EventCode = 4728 OR EventCode = 4737
Event code 4728 shows when a member was added to a security-enabled global group. Event code 4737 shows when a security global group was changed in Active Directory.
Once you have a report showing these events in Splunk, you can compare the date and time of each incident against your incident register to verify that each user modification that has occurred is valid.
In addition, these resources might help you understand and implement this guidance: