Windows user group changes

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Your organization uses Windows Security Event logs to detect user group modifications that have not followed the appropriate procedures. You want to collect these logs in Splunk so you can analyze them against your organization’s incident register to ensure that each user modification has an associated incident record.

Data required

Microsoft Windows

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=wineventlog:security EventCode = 4728 OR EventCode = 4737

Next steps

Event code 4728 shows when a member was added to a security-enabled global group. Event code 4737 shows when a security global group was changed in Active Directory.

Once you have a report showing these events in Splunk, you can compare the date and time of each incident against your incident register to verify that each user modification that has occurred is valid.

In addition, these resources might help you understand and implement this guidance:

Use case: Recognizing improper use of system administration tools
Use case: Monitoring Windows account access
Use case: Detecting overly permissive access control lists