The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases:
|
1 |
sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, "%Y/%m/%d") | rex "Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)" | rex "Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightGranted, host | sort - Date |
2. Windows 2008 Permission Decreases:
|
1 |
sourcetype=WinEventLog:Security (EventCode=4718) | eval Date=strftime(_time, "%Y/%m/%d") | rex "Access\sRemoved:\s+Access\sRight:\s+(?<RightRemoved>\w+)"| rex "Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightRemoved, host | sort - Date | rename RightRemoved as "Rights Removed" | rename AccountModified as "Account Modified" |
3.Windows 2003 Permission Increases:
|
1 |
sourcetype=WinEventLog:Security EventCode=608 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Message=User\sRight\sAssigned:\s+User\sRight:\s+(?<RightGranted>\w+)" | rex "Assigned\sTo:\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightGranted, host | sort - Date | rename RightGranted as "Rights Granted" | rename AccountModified as "Account Modified" |
4. Windows 2003 Permission Decreases:
|
1 |
sourcetype=WinEventLog:Security EventCode=609 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Message=User\sRight\sRemoved:\s+User\sRight:\s+(?<RightRemoved>\w+)" | rex "Removed\sFrom:\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightRemoved, host | sort - Date | rename RightRemoved as "Rights Removed" | rename AccountModified as "Account Modified" |
