Skip to main content
Splunk Lantern

User account changed

You might want to examine user account changes and related events when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your boss is concerned about insider threat at your organization and wants a report on all user account changes. 

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Windows security event logs. You can replace this source with any other system log data used in your organization.

  1. Set the search time range to the time relevant to the investigation, if known.
  2. Run the following search: 
index=<index name> 
[search index=<index name> sourcetype=WinEventLog:Security EventCode=4738
| eval earliest=_time-120
| eval latest=_time+120
| fields host, earliest, latest]
| table host sourcetype EventCode Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

index=<index name>

Search only the specified index.

[search index=<index name>

Begin a subsearch so that you can look for events that occurred in a specific time frame, as explained in subsequent rows.

sourcetype=WinEventLog:Security 

Search only Windows security event logs.

EventCode=4738
 

Search for user accounts that have been changed.

| eval earliest=_time-120
 

Evaluate the two minutes before Event 4738 occurred.

| eval latest=_time+120
 

Evaluate the two minutes after Event 4738 occurred.

| fields host, earliest, latest]
 

Keep only the host, earliest, and latest fields to speed up the search, and end the subsearch.

| table host sourcetype EventCode Message

Display the results in a table with columns in the order shown.

Result

The EventCode and Message field describe any changes that were made to a user account in the four minutes surrounding the account status change. You might want to investigate any messages that indicate a user was granted administrator access to a domain or standalone Windows machine on your network. If users have been unexpectedly granted administrative privileges, you might want to start looking for remote administrative logons.

  • Was this article helpful?