Splunk Search

How to create an Alert on disabled AD accounts being re-enabled?

eblackburn
Path Finder

Does anyone have experience writing a query that can be used to alert on disabled AD accounts being re-enabled? I've learned that Windows EventCode 4722 can be used to find accounts being enabled, but I'm unsure of how to correlate that with whether or not the account was in a disabled state beforehand.

 

Labels (1)
0 Karma
1 Solution

Stefanie
Builder

How long back are you looking to detect when an account was disabled?

I've found a query that may suit your needs

EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account

 

View solution in original post

Stefanie
Builder

How long back are you looking to detect when an account was disabled?

I've found a query that may suit your needs

EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account

 

eblackburn
Path Finder

That's really helpful. Thanks!

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...