Reporting Windows Security Events 4732 for BUILTIN\Administrators

New Member
SourceName=Microsoft Windows security auditing.

Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin

I am interested in Reporting on the above Event for only Windows Server Systems?  Searching for the EventCode returns results for all Windows 10 systems as well. Can someone give me an example of how to cross reference those results with OS Type? 

Thank you!

Labels (1)
Tags (2)
0 Karma


There is no such mechanism to identify os type with the logs. You may identify os type based on host if your organization is following some kind of naming convention to distinguish servers and endpoints.

or have csv file which contains hostname and os type of hosts which are sending logs. Then you can lookup os type based on host field.

If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...