Navigation :

Detect New Local Admin Account

Description

This search looks for newly created accounts that have been elevated to local administrators.

Help
Detect New Local Admin Account Help You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Help

Detect New Local Admin Account Help

You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Search
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) \| transaction member_id connected=false maxspan=180m \| rename member_id as user \| stats count min(_time) as firstTime max(_time) as lastTime by user dest \| `security_content_ctime(firstTime)`\| `security_content_ctime(lastTime)` \| `detect_new_local_admin_account_filter` Open in Search

Search

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

Open in Search