Listing 8: Command to Find Significant Privilege Use Events
logparser "SELECT EXTRACT_TOKEN(Strings,ADD(SUB(EventID,577),8),'|') AS 
Privilege, 
STRCAT(STRCAT(EXTRACT_TOKEN(Strings,ADD(SUB(EventID,577),6),'|'),'\\'), 
EXTRACT_TOKEN(Strings,ADD(SUB(EventID,577),5),'|')) as ClientUser, 
STRCAT(STRCAT(EXTRACT_TOKEN(Strings,ADD(SUB(EventID,577),3),'|'),'\\'), 
EXTRACT_TOKEN(Strings,ADD(SUB(EventID,577),2),'|')) AS PrimaryUser, EventID 
FROM security WHERE EventID in (577;578) AND INDEX_OF(ClientUser,'$') IS NULL 
ORDER BY Privilege, ClientUser, PrimaryUser"