Solved: How to create an Alert on disabled AD accounts bei...

eblackburn · ‎06-10-2022

Does anyone have experience writing a query that can be used to alert on disabled AD accounts being re-enabled? I've learned that Windows EventCode 4722 can be used to find accounts being enabled, but I'm unsure of how to correlate that with whether or not the account was in a disabled state beforehand.

Stefanie · ‎06-13-2022

How long back are you looking to detect when an account was disabled?

I've found a query that may suit your needs

EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account

View solution in original post

Stefanie · ‎06-13-2022

How long back are you looking to detect when an account was disabled?

I've found a query that may suit your needs

EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account

eblackburn · ‎06-17-2022

That's really helpful. Thanks!

How to create an Alert on disabled AD accounts being re-enabled?

other

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023