Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Windows Time Change

WinEventLog:Security

Description

Submitted by SplunkNinja

This query will list all users who initiated a time change. System accounts change time automatically, as such I've ignored system accounts from the query output. Windows 2008 and newer:
0 0 
sourcetype=WinEventLog:Security EventCode=4616 Account_Name!="*$" Account_Name!="LOCAL SERVICE"| stats count by Account_Name
Windows 2003 and before: 
sourcetype=WinEventLog:Security user!="*$" user!="LOCAL SERVICE" EventCode=520 | stats count by user

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom