Windows user group changes
Your organization uses Windows Security Event logs to detect user group modifications that have not followed the appropriate procedures. You want to collect these logs in the Splunk platform so you can analyze them against your organization’s incident register to ensure that each user modification has an associated incident record.
Data required
Microsoft: Windows security logs
Procedure
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=wineventlog:security EventCode = 4728 OR EventCode = 4737
Next steps
Event code 4728 shows when a member was added to a security-enabled global group. Event code 4737 shows when a security global group was changed in Active Directory.
After you have a report showing these events in the Splunk platform, you can compare the date and time of each incident against your incident register to verify that each user modification that has occurred is valid.
Finally, you might be interested in other processes associated with the Monitoring Windows account access use case.