Splunk Search

Search for events in sequence over time

New Member

I am attempting to create a search to alert on when a previously disabled employee is re-enabled. Currently, my search is as follows:

index=* EventCode=4738 sourcetype="WinEventLog:Security" New_UAC_Value="0x10" | join type=inner [search earliest=-3m@d latest=now index=* sourcetype="WinEventLog:Security" EventCode=4725] | table _time,user,src_user,Old_UAC_Value,New_UAC_Value,EventCode

The first search identifies accounts that have been re-enabled. While this is half the battle, it also includes accounts that are being created or modified in some way. The second search (after the join) identifies disabled accounts. What I need to identify in my search are those accounts that in sometime in the past were disabled, and this more recently re-enabled.

Joining these two searches in the manner above does not produce what I expect it to.

I greatly appreciate any help provided.

0 Karma
1 Solution

Legend

How about something like this (this is untested code, so please edit as appropriate)

index=* sourcetype="WinEventLog:Security" EventCode=4738  OR EventCode=4725  | stats latest(eval(if(EventCode=4738 AND New_UAC_Value="0x10", _time, null()))) as E4738 latest(eval(if(EventCode=4725, _time, null()))) as E4725 by Account_Name | where E4738>E4725 | foreach E* [eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S")]

You could also try with EventCode 4722 (account enabled)

View solution in original post

Legend

How about something like this (this is untested code, so please edit as appropriate)

index=* sourcetype="WinEventLog:Security" EventCode=4738  OR EventCode=4725  | stats latest(eval(if(EventCode=4738 AND New_UAC_Value="0x10", _time, null()))) as E4738 latest(eval(if(EventCode=4725, _time, null()))) as E4725 by Account_Name | where E4738>E4725 | foreach E* [eval <<FIELD>>=strftime(<<FIELD>>, "%m/%d/%Y %H:%M:%S")]

You could also try with EventCode 4722 (account enabled)

View solution in original post

SplunkTrust
SplunkTrust

A stats search which replaces a join is most likely to be the better approach 😉

0 Karma

New Member

Modified this to capture removal from the security-enabled global group (Event code 4729) instead of 4725. Code worked perfectly.

Thank you Sundareshr!

0 Karma