The following queries will return modifications to time in a windows environment. It ignores system and service accounts. Windows 2008 and newer: source=”WinEventLog:Security” EventCode=4616 (NOT Account_Name=”*$”) (NOT Account_Name=”LOCAL SERVICE”)| eval Date=strftime(_time, “%Y/%m/%d %H:%M:%S”)| eval oldtime = strptime(replace(Previous_Time, “\D”, “”), “%Y%m%d%H%M%S%9N”) | eval t=_time | rename t as “eventtime” |eval diff=round(((eventtime-oldtime)/60)/60,2) | where diff!=0| stats count […]
Windows Time Change
This query will list all users who initiated a time change. System accounts change time automatically, as such I’ve ignored system accounts from the query output. Windows 2008 and newer: sourcetype=WinEventLog:Security EventCode=4616 Account_Name!=”*$” Account_Name!=”LOCAL SERVICE”| stats count by Account_Name Windows 2003 and before: sourcetype=WinEventLog:Security user!=”*$” user!=”LOCAL SERVICE” EventCode=520 | stats count by user
