The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases: sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, “%Y/%m/%d”) | rex “Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)” | rex “Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)” | stats count by Date, AccountModified, RightGranted, host | sort – Date 2. Windows 2008 Permission Decreases: sourcetype=WinEventLog:Security (EventCode=4718) | eval […]