Getting Data In

I want to search the list of users whose account was disabled and then enabled within 60 days of time period. how can i achieve this?

abhijeetbhadane
New Member

users account was disabled in July. but suddenly it was enabled in October and performed password reset by an IT person. I wanted to set an alert for such cases in future so that I'll be notified for such activites

0 Karma
1 Solution

samhays
Path Finder

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

View solution in original post

samhays
Path Finder

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

View solution in original post

abhijeetbhadane
New Member

Hi Samhays

Can we modify this query a bit more?
I want the list of accounts which were disabled earlier and after 60 days or more someone again enabled them?
is this possible?

0 Karma

samhays
Path Finder

I'm not sure I fully understand - could you write up some example output?

abhijeetbhadane
New Member

Hi Sam - Currently i m getting view as below.
08/18/2018 01:47:17
08/29/2018 22:10:24
firstevent: disabled

Lastevent :enabled

Now i want those usernames, who were disabled 2 months ago or more.
There was no activity on those accounts in the meantime and suddenly after 2 months someone enabled the accounts again.
eg. Disabled on : 01 June 2018 12:xx:xx
Enabled on : 10 Oct 2018 12:xx:xx
username : xxx
by whom : abc person
- The intended time gap between disabling and enabling should be 60 days or more.

I hope you understand what I wanted to explain 😕
thanks in advance for your help

0 Karma

VatsalJagani
Motivator

@abhijeetbhadane - Can you please give sample event here?

0 Karma

Dileep
Observer

I have used the below query to find out user accounts which were disabled and then enabled after 30 days in AD.

index=* host="o365:ms" (Operation="Enable account." OR Operation="Disable account.") earliest=-30d object_id="*@domain.com"
| stats stats values(_time) as times earliest(Operation) as firstEvent latest(Operation) as lastEvent by username
| replace "Enable account." with "enabled" in firstEvent, lastEvent
| replace "Disable account." with "disabled" in firstEvent, lastEvent
| search firstEvent="disabled" AND lastEvent="enabled"
|table firstEvent lastEvent ObjectId |convert ctime(times)

Its not giving me the desired results.


Can someone help me in resolving this?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!