ArcSight Logger Search - Windows Events for Account Changes

gistfile1.txt

deviceEventClassId IN ["Microsoft-Windows-Security-Auditing:4740","Microsoft-Windows-Security-Auditing:4722","Microsoft-Windows-Security-Auditing:4738","Microsoft-Windows-Security-Auditing:4781","Microsoft-Windows-Security-Auditing:4720","Microsoft-Windows-Security-Auditing:4725","Microsoft-Windows-Security-Auditing:4724","Microsoft-Windows-Security-Auditing:4723","Microsoft-Windows-Security-Auditing:4767","Microsoft-Windows-Security-Auditing:6279"] and NOT (destinationUserName ENDSWITH "$") and NOT (sourceUserName ENDSWITH "$")