Data Source: Windows Event Log Security 4756

Date: 2026-03-23

ID: b0093058-0cb6-4c73-a95b-fb0f3541e88c

Author: Nasreddine Bencherchali, Splunk

Description

Data source object for Windows Event Log Security 4756

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Privileged Group Modification	Local Account, Domain Account	TTP

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.1.2)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}' /> <EventID>4756</EventID> <Version>0</Version> <Level>0</Level> <Task>13826</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2019-03-20T17:08:41.465560800Z' /> <EventRecordID>4405437</EventRecordID> <Correlation /> <Execution ProcessID='704' ThreadID='2584' /> <Channel>Security</Channel> <Computer>atc-win-2k16.atc.local</Computer> <Security /> </System><EventData><Data Name='MemberName'>CN=demouser,CN=Users,DC=atc,DC=local</Data> <Data Name='MemberSid'>S-1-5-21-2245550993-2690282630-2861202560-18603</Data> <Data Name='TargetUserName'>Enterprise Admins</Data> <Data Name='TargetDomainName'>ATC</Data> <Data Name='TargetSid'>S-1-5-21-2245550993-2622282683-2531201460-519</Data> <Data Name='SubjectUserSid'>S-1-5-21-2245550993-2622282683-2531201460-500</Data> <Data Name='SubjectUserName'>test_user</Data> <Data Name='SubjectDomainName'>ATC</Data> <Data Name='SubjectLogonId'>0x109a6c</Data> <Data Name='PrivilegeList'>-</Data> </EventData></Event>

Required Output Fields

dest

Source: GitHub | Version: 1

Data Source: Windows Event Log Security 4756

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields