Skip to main content
Splunk Lantern

Windows user group changes


Your organization uses Windows Security Event logs to detect user group modifications that have not followed the appropriate procedures. You want to collect these logs in the Splunk platform so you can analyze them against your organization’s incident register to ensure that each user modification has an associated incident record.

Data required

Microsoft: Windows security logs


Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=wineventlog:security EventCode = 4728 OR EventCode = 4737

Next steps

Event code 4728 shows when a member was added to a security-enabled global group. Event code 4737 shows when a security global group was changed in Active Directory.

After you have a report showing these events in the Splunk platform, you can compare the date and time of each incident against your incident register to verify that each user modification that has occurred is valid.

Finally, you might be interested in other processes associated with the Monitoring Windows account access use case.