All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: why is Splunk not picking up locally added admins in a Windows Box?

wkrao
New Member
‎02-08-2019 08:00 AM

Hi,

Our Splunk instance doesn't pick up whenever a local admin is added to a box. We have Splunk App for Windows Infrastructure.

Can anyone help?

Here's the Raw event -

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732
EventType=0
Type=Information
ComputerName=CONTOSO12.asgard.local
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1586713
Keywords=Audit Success
Message=A member was added to a security-enabled local group.

Subject:

Security ID:        S-1-5-21-603863440-1198007367-1538882281-5339

Account Name:       robert.langdon

Account Domain:     INFERNO

Logon ID:       0x541DADE

Member:

Security ID:        S-1-5-21-603863440-11966776767-1568884481-7096

Account Name:       -

Group:

Security ID:        S-1-5-32-544

Group Name:     Administrators

Group Domain:       Builtin

Additional Information:

Privileges:     -
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...