First off, I am very new to Splunk and that may be my downfall. Our latest Splunk guru has left and this fell to me rather abruptly, so I apologize in advance.
I have been tasked with generating a report showing users that are logging into the local computers with elevated privileges of their standard daily accounts.
For example, if a user has two logins, username and ADUserName. I need to find out if username is a local admin on their computer and when they have logged in using that account.
I have been trying to figure this out but for the last two weeks haven't actually made any progress.
Hoping someone can point me in the right direction - thank you very much!
Are you collecting logs from endpoints to see if user is making login locally instead using his/her domain account.
You need to have event logs from each endpoint to detect if they are login locally using admin rights. 4672 is the event code.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672
or you could easily detect employees who are login using local admin account if you have Microsoft defender ATP installed on endpoints.
We are ingesting those logs from all the end points.
I have searched on that and am only finding systems logging in with elevated privs. I know the admins are doing this, they will tell me they are, but looking for a way to see the activity 😞
Did you see 4672 events collected from endpoints?
Yes, I do see 4672 from end points.
Can you try accessing endpoint using local admin account and see how events is generated then you can understand event behavior.