Log analysis through Splunk does not seem like the correct approach to answering to the question of if accounts are currently disabled or not... instead you should be looking at the source of truth that maintains the accounts and seeing the state of the accounts. (Now if you were asking when accounts were disabled and by whom, then Splunk is your tool, assuming you're capturing and retaining those audit logs for long enough).
With windows systems in a reasonably sized organization, i would guess your accounts are maintained in an Active Directory domain. To answer your question we'll need to query the state of those objects in AD, which doing so in bulk the best way is through LDAP queries.. if you absolutely need to keep results in Splunk, then SA-ldapsearch will help here, but honestly I would rather use the ldapsearch CLI utility from OpenLDAP, or if you prefer a GUI to perform LDAP searches, I'd recommend Apache Directory Studio.
Now to build your LDAP Search. Often, when people say they have a userid for a domain account, they often mean that they have a list of
SAMAccountNames. But it could be other naming attributes, or even email address. Whichever attribute it is, you'll then build an OR list of them in your LDAP filter to find all of the accounts based on these identifiers... Something like:
(|
(samaccountname=firstusername)
(samaccountname=secondusername)
...
(samaccountname=lastusername)
)
Which while I'm writing on multiple lines for clarity I should note that could be collapsed into a single line just as easily thanks to the parenthesis being groupers and delineators.
Next the question is which of these accounts are disabled, and which are enabled, and to answer this in Active Directory you'll need to be familiar with the userAccountControl attribute. This is a bit flag of statuses of the user accounts in AD... including if the account is disabled or not. Knowing that the 2 bit is the flag for the account being disabled or not...we could just download this attribute with our previous filter, and sort it out... But knowing that there are bitwise search operators for LDAP filters, we can actually build upon our previous filter with two different searches to answer that question for us from LDAP.
To get the set of accounts that are disabled (where the disabled flag is set... we need an AND filter with our previous query... like so:
(&
(userAccountControl:1.2.840.113556.1.4.803:=2)
(|(samaccountname=firstusername)...)
)
And to get the set of accounts that are not disabled, we add a NOT filter around our check for the 2 bit on the user account control.
(&
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(|(samaccountname=firstusername)...)
)
And if an account is returned by neither search, then it's not in Active Directory anymore.
I hope this gives you an idea of how to do such, and I hope I've impressed upon you the need to use the right tool for the question you're trying to answer (and that Splunk may not be the answer all the time!). If you're not using Active Directory at your organization, then the steps will vary, but the general idea is similar: Look up the account status in the source of truth for the accounts, don't rely on the set of captured logs to tell you the current status.
Try this!
※Change the account to the actual field name.
|inputlookup lookup_filename|eval status="lookup"|table account,status
|append
[search sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
|dedup account|eval status="Disabled OR Delete"|table account,status]
|stats list(status) as status by account
status:"lookup"⇒A valid account
status:"lookup" AND "Disabled OR Delete"⇒Invalidated account
status:"Disabled OR Delete"⇒Account not present in lookup
I tried
|inputlookup passwordstatedisabled |eval status="lookup"|table user,status
|append
[search sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
|dedup user|eval status="Disabled OR Delete"|table user,status]
|stats list(status) as status by user
but I guess It is showing me the disabled user in our organization, not comparing the user's present in the lookupfile, however the user prensent in the csv file is
awasw
bamrb
baspa
batah
batrg
beene
like the above
I guess my lookup file dont have any data, i tried checking my lookup file, and it showing no data, is there any other format to save the data in lookup file
Is there a CSV file format?
The character code is UTF8. You can change it with Notepad.
user
awasw
bamrb
baspa
batah
batrg
beene
Import the lookup file from the GUI.
I did it from notepad as well, its still not taking the data, I guess something wrong with my lookup only
Can you add ".csv" to the lookup file when creating it?
passwordstatedisabled ⇒ passwordstatedisabled .csv
Yes, I did add both .csv and .txt file with a bit different name.
It uploaded through the GUI, I give permission to all the application with read and right rights and shared.
when I tried pivot that files its showing no data, m not sure why
using it in inputlookup is also not working the search gives me all the other disabled accounts but not he one present in my list
Does it work if each runs?
|inputlookup filename.csv |eval status="lookup"|table user,status
index=(your index) sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)|dedup user|eval status="Disabled OR Delete"|table user,status
I have added that file to the lookup, can anyone suggest if I am doing wrong
Activation and deactivation of accounts can be understood only by the system that manages the account.
What do you really want to check? Is there an account use?
I have a list of 200 accounts, want to check that accounts are disabled in system or not via splunk
The information of the splunk user can be obtained by the following search sentence. However, Splunk users have no validity or invalidity.
|rest /services/authentication/users splunk_server=local
I was not looking for the splunk user's, was looking for the organization user's
the exact scenario is
Somebody gave me 200 user's account list of our organization, I need to verify through Winlogsecurity logs that these accounts are disabled or not.
If you have acquired the event log, please search by event ID. Log of invalid or deleted account.
4725 User account has been disabled.
4726 User account has been deleted.
You can verify this with a lookup file.
that is what I wanted to know.
means I am not getting the exact query to detect the same
sourcetype=WinEventLog:Security (EventCode=4725 OR EventCode=4726)
I have added the csv file into lookup with disableuser name of lookup file
can you please help