I am attempting to create a search to alert on when a previously disabled employee is re-enabled. Currently, my search is as follows:
index=* EventCode=4738 sourcetype="WinEventLog:Security" New_UAC_Value="0x10" | join type=inner [search earliest=-3m@d latest=now index=* sourcetype="WinEventLog:Security" EventCode=4725] | table _time,user,src_user,Old_UAC_Value,New_UAC_Value,EventCode
The first search identifies accounts that have been re-enabled. While this is half the battle, it also includes accounts that are being created or modified in some way. The second search (after the join) identifies disabled accounts. What I need to identify in my search are those accounts that in sometime in the past were disabled, and this more recently re-enabled.
Joining these two searches in the manner above does not produce what I expect it to.
I greatly appreciate any help provided.
How about something like this (this is untested code, so please edit as appropriate)
index=* sourcetype="WinEventLog:Security" EventCode=4738 OR EventCode=4725 | stats latest(eval(if(EventCode=4738 AND New_UAC_Value="0x10", _time, null()))) as E4738 latest(eval(if(EventCode=4725, _time, null()))) as E4725 by Account_Name | where E4738>E4725 | foreach E* [eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S")]
You could also try with EventCode 4722 (account enabled)
How about something like this (this is untested code, so please edit as appropriate)
index=* sourcetype="WinEventLog:Security" EventCode=4738 OR EventCode=4725 | stats latest(eval(if(EventCode=4738 AND New_UAC_Value="0x10", _time, null()))) as E4738 latest(eval(if(EventCode=4725, _time, null()))) as E4725 by Account_Name | where E4738>E4725 | foreach E* [eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S")]
You could also try with EventCode 4722 (account enabled)
A stats
search which replaces a join
is most likely to be the better approach 😉
Modified this to capture removal from the security-enabled global group (Event code 4729) instead of 4725. Code worked perfectly.
Thank you Sundareshr!