Windows does not provide an accurate user who performed an audit policy change on the system (EventCode 4719), it lists System versus the logged in user. I would like to identify EventCode=4719 as the primary event and then search for the closest EventCode=4624 prior to when EventCode=4719 occurred.
I have been checking the splunk community page and google to look for something that meets the need. I cannot seem to grasp this concept and would appreciate the help!
-- your search including (EventCode=4719 OR EventCode=4624)
| streamstats window=2 earliest(EventCode) as previousEventCode earliest(_raw) as previousEvent
| where EventCode = 4719 AND EventCode != previousEventCode
| table previousEvent
Appreciate the quick response to this! It did return some results but with a multi-machine environment (which I did not disclose) did not return what I was anticipating. I made some modifications and here is what I would like to see....
For each 4719 Event from 100's of machines
Hostname
Time of Event for 4719
Message from 4719
Time of Event for 4624
Message from 4624