Getting Data In

I want to search the list of users whose account was disabled and then enabled within 60 days of time period. how can i achieve this?

abhijeetbhadane
New Member

users account was disabled in July. but suddenly it was enabled in October and performed password reset by an IT person. I wanted to set an alert for such cases in future so that I'll be notified for such activites

0 Karma
1 Solution

samhays
Path Finder

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

View solution in original post

samhays
Path Finder

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

abhijeetbhadane
New Member

Hi Samhays

Can we modify this query a bit more?
I want the list of accounts which were disabled earlier and after 60 days or more someone again enabled them?
is this possible?

0 Karma

samhays
Path Finder

I'm not sure I fully understand - could you write up some example output?

abhijeetbhadane
New Member

Hi Sam - Currently i m getting view as below.
08/18/2018 01:47:17
08/29/2018 22:10:24
firstevent: disabled

Lastevent :enabled

Now i want those usernames, who were disabled 2 months ago or more.
There was no activity on those accounts in the meantime and suddenly after 2 months someone enabled the accounts again.
eg. Disabled on : 01 June 2018 12:xx:xx
Enabled on : 10 Oct 2018 12:xx:xx
username : xxx
by whom : abc person
- The intended time gap between disabling and enabling should be 60 days or more.

I hope you understand what I wanted to explain 😕
thanks in advance for your help

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@abhijeetbhadane - Can you please give sample event here?

0 Karma

Dileep
Observer

I have used the below query to find out user accounts which were disabled and then enabled after 30 days in AD.

index=* host="o365:ms" (Operation="Enable account." OR Operation="Disable account.") earliest=-30d object_id="*@domain.com"
| stats stats values(_time) as times earliest(Operation) as firstEvent latest(Operation) as lastEvent by username
| replace "Enable account." with "enabled" in firstEvent, lastEvent
| replace "Disable account." with "disabled" in firstEvent, lastEvent
| search firstEvent="disabled" AND lastEvent="enabled"
|table firstEvent lastEvent ObjectId |convert ctime(times)

Its not giving me the desired results.


Can someone help me in resolving this?

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...