System Time Modifications in Windows

WinEventLog:Security
SplunkNinja
You already voted!

The following queries will return modifications to time in a windows environment. It ignores system and service accounts.

Windows 2008 and newer:
source="WinEventLog:Security" EventCode=4616 (NOT Account_Name="*$") (NOT Account_Name="LOCAL SERVICE")| eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")| eval oldtime = strptime(replace(Previous_Time, "\D", ""), "%Y%m%d%H%M%S%9N") | eval t=_time | rename t as "eventtime" |eval diff=round(((eventtime-oldtime)/60)/60,2) | where diff!=0| stats count by host, Account_Name, diff, Date | sort - Date| rename diff as "Hours Between New Time and Actual Time" |rename Account_Name as "Source Account" | rename host as "Target Machine"|rename Date as "Date and Time"| fields - count

Windows 2003 and older:
source="WinEventLog:Security" (EventCode=520) (NOT User="LOCAL SERVICE") ( NOT User="SYSTEM") | eval Date=strftime(_time, "%Y/%m/%d %H:%M:%S")| eval YourDate=Previous_Time | eval epoch1=strptime(YourDate,"%H:%M:%S %p %m/%d/%Y") | convert timeformat="%H:%M:%S %p %m/%d/%Y" mktime(YourDate) as oldtime | eval t=_time | rename t as "eventtime"| eval diff=round(((eventtime-oldtime)/60)/60,2) | where diff!=0| stats count by host, User, diff, Date | sort - Date| rename diff as "Hours Between New Time and Actual Time" |rename Account_Name as "Source Account" | rename host as "Target Machine"|rename Date as "Date and Time"| fields - count| fields - count

Share This:

Tagged: System Time Change Time Sync

Leave A Comment? Click here to cancel reply.

Newest | Active

Яромир

Active 2 hours, 18 minutes ago
Борис

Active 15 hours, 7 minutes ago
Sanjai

Active 6 days, 6 hours ago
bewafaha

Active 1 week, 1 day ago
sadloveshayari

Active 1 week, 2 days ago