Solved: Re: I want to search the list of users whose accou...

abhijeetbhadane · ‎10-04-2018

users account was disabled in July. but suddenly it was enabled in October and performed password reset by an IT person. I wanted to set an alert for such cases in future so that I'll be notified for such activites

samhays · ‎10-04-2018

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

View solution in original post

samhays · ‎10-04-2018

A step-by-step approach might look something like this:

EventCode=4725 OR EventCode=4722 earliest=-60d 
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent  by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account

Presuming your data source is Active Directory and you've got some parsing happening!

abhijeetbhadane · ‎10-08-2018

Hi Samhays

Can we modify this query a bit more?
I want the list of accounts which were disabled earlier and after 60 days or more someone again enabled them?
is this possible?

samhays · ‎10-09-2018

I'm not sure I fully understand - could you write up some example output?

abhijeetbhadane · ‎10-12-2018

Hi Sam - Currently i m getting view as below.
08/18/2018 01:47:17
08/29/2018 22:10:24
firstevent: disabled

Lastevent :enabled

Now i want those usernames, who were disabled 2 months ago or more.
There was no activity on those accounts in the meantime and suddenly after 2 months someone enabled the accounts again.
eg. Disabled on : 01 June 2018 12:xx:xx
Enabled on : 10 Oct 2018 12:xx:xx
username : xxx
by whom : abc person
- The intended time gap between disabling and enabling should be 60 days or more.

I hope you understand what I wanted to explain 😕
thanks in advance for your help

VatsalJagani · ‎10-04-2018

@abhijeetbhadane - Can you please give sample event here?

Dileep · ‎12-10-2020

I have used the below query to find out user accounts which were disabled and then enabled after 30 days in AD.

index=* host="o365:ms" (Operation="Enable account." OR Operation="Disable account.") earliest=-30d object_id="*@domain.com"
| stats stats values(_time) as times earliest(Operation) as firstEvent latest(Operation) as lastEvent by username
| replace "Enable account." with "enabled" in firstEvent, lastEvent
| replace "Disable account." with "disabled" in firstEvent, lastEvent
| search firstEvent="disabled" AND lastEvent="enabled"
|table firstEvent lastEvent ObjectId |convert ctime(times)

Its not giving me the desired results.

Can someone help me in resolving this?

I want to search the list of users whose account was disabled and then enabled within 60 days of time period. how can i achieve this?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life