• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Dashboard Diagnostics failed logon Firewall IIS internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshooting tstats Universal Forwarder users Vulnerabilities web Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog

Tag: Windows Permissions

Account Modifications in a Windows Environment

  • WinEventLog:Security
  • ItsJohnLocke
  • 1 0

The following splunk query will give you all permission changes for each user. There are four queries. 1. Windows 2008 Permission Increases:

1
 sourcetype=WinEventLog:Security (EventCode=4717) | eval Date=strftime(_time, "%Y/%m/%d") | rex "Access\sGranted:\s+Access\sRight:\s+(?<RightGranted>\w+)" | rex "Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightGranted, host | sort - Date

2. Windows 2008 Permission Decreases:

1
 sourcetype=WinEventLog:Security (EventCode=4718) | eval Date=strftime(_time, "%Y/%m/%d") | rex "Access\sRemoved:\s+Access\sRight:\s+(?<RightRemoved>\w+)"| rex "Account\sModified:\s+\w+\s\S+\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightRemoved, host | sort - Date | rename RightRemoved as "Rights Removed" | rename AccountModified as "Account Modified"

3.Windows 2003 Permission Increases:

1
sourcetype=WinEventLog:Security EventCode=608 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Message=User\sRight\sAssigned:\s+User\sRight:\s+(?<RightGranted>\w+)" | rex "Assigned\sTo:\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightGranted, host | sort - Date | rename RightGranted as "Rights Granted" | rename AccountModified as "Account Modified"

4. Windows 2003 Permission Decreases:

1
sourcetype=WinEventLog:Security EventCode=609 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Message=User\sRight\sRemoved:\s+User\sRight:\s+(?<RightRemoved>\w+)" | rex "Removed\sFrom:\s+.*\\\(?<AccountModified>.*)" | stats count by Date, AccountModified, RightRemoved, host | sort - Date | rename RightRemoved as "Rights Removed" | rename AccountModified as "Account Modified"

Continue Reading →

Join the live chat on Discord

Members

Newest | Active
  • Profile picture of trickymatrix83
    trickymatrix83
    active 48 minutes ago
  • Profile picture of kephalonomancy
    kephalonomancy
    active 11 hours ago
  • Profile picture of nonchalantenigm
    nonchalantenigm
    active 15 hours, 52 minutes ago
  • Profile picture of reconditecamper
    reconditecamper
    active 23 hours, 7 minutes ago
  • Profile picture of reflectivetheme
    reflectivetheme
    active 1 day ago
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored