System Security Access Removed from Account

The following queries will list security access that was removed from an account in a Windows environment. Queries look different depending on which version of Windows you are running as the syntax and the EventID’s changed after 2003. Windows Server 2008 and newer: sourcetype=”WinEventLog:Security” EventCode=4718 | eval Date=strftime(_time, “%Y/%m/%d”) | stats count by src_user, user, […]

Continue Reading →