Our Splunk enterprise security uses the following correlation search for the "Detect New Local Admin Account" notables:
`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`
The way its written makes it so the search returns any transaction with event code equal to 4720 or event code equal to 4732 with the phrase Administrators. It doesn't make a subquery on the transaction to make sure that the transaction contains both a 4720 and 4732 with phrase Administrators. So we're getting one of these notables for every account created.
If I swap out index=* source="*WinEventLog:Security" for `wineventlog_security`, that correlation search only returns true positives. The key difference between those searches is the subquery that searches the transactions for logs that have both 4720 and 4732 with the phrase Adminstrators.
Does anyone know why Splunk enterprise security and Splunk security essentials have that first correlation search listed? It seems to not do what its supposed to do. Am I missing something?