Reporting Windows Security Events 4732 for BUILTIN...

MarkSplunker02 · ‎08-04-2020

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732

Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin

I am interested in Reporting on the above Event for only Windows Server Systems? Searching for the EventCode returns results for all Windows 10 systems as well. Can someone give me an example of how to cross reference those results with OS Type?

Thank you!

thambisetty · ‎08-04-2020

There is no such mechanism to identify os type with the logs. You may identify os type based on host if your organization is following some kind of naming convention to distinguish servers and endpoints.

or have csv file which contains hostname and os type of hosts which are sending logs. Then you can lookup os type based on host field.

————————————
If this helps, give a like below.

Reporting Windows Security Events 4732 for BUILTIN\Administrators

scheduled search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation