Skip to main content
 
 
 
Splunk Lantern

User account changed

 

Your boss is concerned about insider threat at your organization and wants a report on all user account changes. 

Data required 

System log data

Procedure

This sample search uses Microsoft Windows security event logs. You can replace this source with any other system log data used in your organization.

  1. Set the search time range to the time relevant to the investigation, if known.
  2. Run the following search. You can optimize it by specifying an index.
index=<index name> 
[search index=<index name> sourcetype=WinEventLog:Security EventCode=4738
| eval earliest=_time-120
| eval latest=_time+120
| fields host, earliest, latest]
| table host sourcetype EventCode Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

index=<index name>

Search only the specified index.

[search index=<index name>

Begin a subsearch so that you can look for events that occurred in a specific time frame, as explained in subsequent rows.

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

EventCode=4738
 

Search for user accounts that have been changed.

| eval earliest=_time-120
 

Evaluate the two minutes before Event 4738 occurred.

| eval latest=_time+120
 

Evaluate the two minutes after Event 4738 occurred.

| fields host, earliest, latest]
 

Keep only the host, earliest, and latest fields to speed up the search, and end the subsearch.

| table host sourcetype EventCode Message

Display the results in a table with columns in the order shown.

Next steps

The EventCode and Message field describe any changes that were made to a user account in the four minutes surrounding the account status change. You might want to investigate any messages that indicate a user was granted administrator access to a domain or standalone Windows machine on your network. If users have been unexpectedly granted administrative privileges, you might want to start looking for remote administrative logons.

Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.