Hi,
Our Splunk instance doesn't pick up whenever a local admin is added to a box. We have Splunk App for Windows Infrastructure.
Can anyone help?
Here's the Raw event -
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732
EventType=0
Type=Information
ComputerName=CONTOSO12.asgard.local
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1586713
Keywords=Audit Success
Message=A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-603863440-1198007367-1538882281-5339
Account Name: robert.langdon
Account Domain: INFERNO
Logon ID: 0x541DADE
Member:
Security ID: S-1-5-21-603863440-11966776767-1568884481-7096
Account Name: -
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges: -