Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Activity for a privileged account previously disabled and recently rehabilitated

wvalente
Explorer
‎08-01-2017 07:50 AM

Hi Guys,

I need a help to set up a search that alert me when a privileged account was disabled and after habilited in a certain period of time.

I have no idea how I can construct this search.

Help, please.

Tks guys.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2017 08:32 AM

Hi wvalente,
I'm not sure abut the EventCode but they should be 4722 (enabled) and 4725 (disabled) so you should try something like this

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4722 OR EventCode=4725)
| transaction Account_Name 
| search EventCode=4722 EventCode=4725

| in this way you create an event that correlate all events of each Account_Name, if there are both EventCode 4722 and 4725 you can trigger an alert.
You can manage time in in earliest and latest.

Bye.
Giuseppe

0 Karma
Reply

wvalente
Explorer
‎08-01-2017 09:40 AM

Hi Giuseppe,

Sorry, I was looking for linux devices.

Do you know?

Tks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 12:59 AM

it's the same thing, only different field names:

 index=your_index sourcetype=your_sourcetype (EventCode=4722 OR EventCode=4725)
 | transaction user 
 | search EventCode=4722 EventCode=4725

Bye.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...