SIEM × Platform · Splunk · Windows Security

Splunk detections for Windows Security

Last reviewed:

Sigma rule outputs from CloudSigma rendered into Splunk queries against the Windows Security schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
3
Production rules
3
ATT&CK techniques
3
ATT&CK tactics
Splunk
Output dialect
02 Rule index
Technique Rule Severity Log source
T1068 Exploitation for Privilege Escalation on Windows Security medium Windows Security
T1078 Valid Accounts on Windows Security medium Windows Security
T1098 Account Manipulation on Windows Security medium Windows Security
03 Example rule

User Account Modification via Windows Security Log, generated by CloudSigma and validated against the Splunk dialect.

L1 · production verified 2026-06-06 · sha256:ef3cbd36c92a0e56 Verify in CloudSigma →
Sigma rule · CloudSigma Splunk · Windows Security · 2026-02-09 
title: User Account Modification via Windows Security Log
id: 83235f44-8c92-4c9d-96b9-408dd251c05b
status: stable
description: Detects modifications to user account properties including group membership changes, which may indicate an adversary manipulating accounts for persistence or privilege escalation.
references:
  - https://attack.mitre.org/techniques/T1098/
author: CloudSigma
date: 2026-02-09
tags:
  - attack.persistence
  - attack.privilege-escalation
  - attack.t1098
logsource:
  product: windows
  service: security
detection:
  selection_modify:
    EventID: 4738
  selection_group_add:
    EventID:
      - 4728
      - 4732
      - 4756
  filter_system:
    SubjectUserName|endswith: '$'
  condition: (selection_modify or selection_group_add) and not filter_system
falsepositives:
  - IT administrators performing routine account management
  - Automated provisioning tools updating user group memberships
level: medium
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Splunk documentation, https://docs.splunk.com/
Last verified: 2026-06-06