https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516574#M145193 <P>Yes, I do see 4672 from end points.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Splunk.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10545i437DED023027E7D8/image-size/medium?v=v2&amp;px=400" role="button" title="Splunk.jpg" alt="Splunk.jpg" /></span></P> Thu, 27 Aug 2020 18:56:57 GMT ldefoor 2020-08-27T18:56:57Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516312#M145080 <P>First off, I am very new to Splunk and that may be my downfall. Our latest Splunk guru has left and this fell to me rather abruptly, so I apologize in advance.</P><P>I have been tasked with generating a report showing users that are logging into the local computers with elevated privileges of their standard daily accounts.</P><P>For example, if a user has two logins, username and ADUserName. I need to find out if username is a local admin on their computer and when they have logged in using that account.</P><P>I have been trying to figure this out but for the last two weeks haven't actually made any progress.</P><P>Hoping someone can point me in the right direction - thank you very much!</P> Wed, 26 Aug 2020 16:15:48 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516312#M145080 ldefoor 2020-08-26T16:15:48Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516364#M145092 <P>Are you collecting logs from endpoints to see if &nbsp;user is making login locally instead using his/her domain account.</P><P>You need to have event logs from each endpoint to detect if they are login &nbsp;locally using admin rights. 4672 is the event code.</P><P><A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672" target="_blank">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672</A></P><P>or you could easily detect employees who are login using local admin account if you have Microsoft defender ATP installed on endpoints.</P> Wed, 26 Aug 2020 19:28:59 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516364#M145092 thambisetty 2020-08-26T19:28:59Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516367#M145094 <P>We are ingesting those logs from all the end points.</P><P>I have searched on that and am only finding systems logging in with elevated privs. I know the admins are doing this, they will tell me they are, but looking for a way to see the activity <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 26 Aug 2020 19:44:38 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516367#M145094 ldefoor 2020-08-26T19:44:38Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516569#M145190 <P>Did you see 4672 events collected from endpoints?</P> Thu, 27 Aug 2020 18:45:11 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516569#M145190 thambisetty 2020-08-27T18:45:11Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516574#M145193 <P>Yes, I do see 4672 from end points.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Splunk.jpg" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10545i437DED023027E7D8/image-size/medium?v=v2&amp;px=400" role="button" title="Splunk.jpg" alt="Splunk.jpg" /></span></P> Thu, 27 Aug 2020 18:56:57 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516574#M145193 ldefoor 2020-08-27T18:56:57Z https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516575#M145194 <P>Can you try accessing endpoint using local admin account and see how events is generated then you can understand event behavior.</P> Thu, 27 Aug 2020 18:58:31 GMT https://community.splunk.com/t5/Splunk-Search/Users-loging-into-workstations-with-local-admin-or-domain-admin/m-p/516575#M145194 thambisetty 2020-08-27T18:58:31Z