Hello, I'm trying to set up an alert when someone creates or modifies an Active Directory account with a uidNumber that already exists in another account. I already have a search that finds changes to accounts (below). I want to modify this search so that if the Property that changed is "uidNumber" then search ldap to see if it already exists on another account, and send an alert that contains both new and existing accounts names, uidnumber, and admin that made the change. This is the current search I have to find all changes As a separate sort of related question - any idea why when I remove "obj_dn" from the table command I get no results at all? I'm using ldapfilter here to get the cn of an object using the obj_dn field, but I didn't think I needed it anymore after that index=wineventlog EventCode=5136 sourcetype=WinEventLog
| sort -_time
| ldapfilter domain=*** search="(DistinguishedName=$obj_dn$)" attrs="cn"
| rename cn as affected_user, LDAP_Display_Name as Property, dir_svcs_action as action
| table _time, Account_Name, Property, Value, action, affected_user, obj_dn
... View more