Time between rights granted and rights revoked

This query outputs a table that indicates the time difference between Rights granted and Rights revoked. Modify the maxspan time within the transaction function to meet your environments needs.

Regex is used here, and is part of the query.

Windows 2008 and newer:
sourcetype=WinEventLog:Security (EventCode=4717 OR EventCode=4718) | rex "Access\sGranted:\s+Access\sRight:\s+(?\w+)"| rex "Access\sRemoved:\s+Access\sRight:\s+(?\w+)"| eval Rights=coalesce(RightGranted,RightRemoved) | eval status=case(EventCode=4717, "New Rights Granted by:", EventCode=4718, "Rights Removed by:")| transaction Rights user startswith="Granted" endswith="Removed" |where duration > 0| eval duration = duration/60 |eval n=round(duration,2) | eval Date=strftime(_time, "%Y/%m/%d") | table Date, host, status, Security_ID, user, Rights, n |rename Security_ID as "Source Account" | rename user as "Target Account" | rename n as "Minutes between Rights Granted Then Removed" | sort - date

Windows 2003 and before:
sourcetype=WinEventLog:Security (EventCode=608 OR EventCode=609) | rex "Message=User\sRight\sAssigned:\s+User\sRight:\s+(?\w+)"| rex "Message=User\sRight\sRemoved:\s+User\sRight:\s+(?\w+)"| eval Rights=coalesce(RightGranted,RightRemoved) | eval status=case(EventCode=608, "New Rights Granted by:", EventCode=609, "Rights Removed by:")| transaction Rights user startswith="Assigned" endswith="Removed" |where duration > 0| eval duration = duration/60 |eval n=round(duration,2) | eval Date=strftime(_time, "%Y/%m/%d") | table Date, host, status, User, user, Rights, n | rename User as "Source Account" | rename user as "Target Account" | rename n as "Minutes between Rights Granted Then Removed" | sort - date

Share This: