Security Access granted to an Account

Like most windows security logs there are two formats depending on which version of windows you are running. The query for a Windows 7 / Server 2008 and newer looks like this:

sourcetype="WinEventLog:Security" EventCode=4717 | eval Date=strftime(_time, "%Y/%m/%d") | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as "Source Account" | rename user as "Target Account" | rename Access_Right as "New Rights Granted"

The query for a system running Server 2003 or older looks like this:

sourcetype="WinEventLog:Security" EventCode=621 Account_Modified!="%{*" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by User_Name, Account_Modified, Access_Granted, Date, action |rename User_Name as "Source Account" | rename Account_Modified as "Target Account" | rename Access_Granted as "New Rights Granted"