System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID's changed after 2003. Windows Server 2008 and newer:

sourcetype="WinEventLog:Security" EventCode=4718 | eval Date=strftime(_time, "%Y/%m/%d") | stats count by src_user, user, Access_Right, Date, Keywords |rename src_user as "Source Account" | rename user as "Target Account" | rename Access_Right as "Rights Removed"

Windows Server 2003 and older:

sourcetype="WinEventLog:Security" EventCode=622 Account_Modified!="%{*" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by User_Name, Account_Modified, Access_Removed, Date, action |rename User_Name as "Source Account" | rename Account_Modified as "Target Account" | rename Access_Removed as "Rights Removed"