User account changed
Your boss is concerned about insider threat at your organization and wants a report on all user account changes.
Data required
Procedure
This sample search uses Microsoft Windows security event logs. You can replace this source with any other system log data used in your organization.
- Set the search time range to the time relevant to the investigation, if known.
- Run the following search. You can optimize it by specifying an index.
index=<index name> [search index=<index name> sourcetype=WinEventLog:Security EventCode=4738 | eval earliest=_time-120 | eval latest=_time+120 | fields host, earliest, latest] | table host sourcetype EventCode Message
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
index=<index name> |
Search only the specified index. |
[search index=<index name> |
Begin a subsearch so that you can look for events that occurred in a specific time frame, as explained in subsequent rows. |
sourcetype=WinEventLog:Security |
Search only Windows security event logs. |
EventCode=4738 |
Search for user accounts that have been changed. |
| eval earliest=_time-120 |
Evaluate the two minutes before Event 4738 occurred. |
| eval latest=_time+120 |
Evaluate the two minutes after Event 4738 occurred. |
| fields host, earliest, latest] |
Keep only the host, earliest, and latest fields to speed up the search, and end the subsearch. |
| table host sourcetype EventCode Message |
Display the results in a table with columns in the order shown. |
Next steps
The EventCode and Message field describe any changes that were made to a user account in the four minutes surrounding the account status change. You might want to investigate any messages that indicate a user was granted administrator access to a domain or standalone Windows machine on your network. If users have been unexpectedly granted administrative privileges, you might want to start looking for remote administrative logons.
Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.