Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows account enabled after been disabled

SIEMStudent
Path Finder
‎03-10-2022 02:24 AM

Hi Splunkers,

i'm trying to build a most common search, wich is: track when a WIndows/Active Directory account is changed from disabled to enabled.
The starting point, the switching to enable, is not a problem for me; this because I know that tracking the EventCode=4722 help me with this scenario.

The "but" here is the following: the customer want to be able to distinguish the legit changes from not legit ones.
Here there are two tipical scenario, one admitted and one not:

New User
When a new user arrives in the company and their user account is created, Active Directory first generates an account creation event and then generates another user account enable event.
This case should not be alerted because it is a normal process.

User disabled in the company
When a user left the company some time ago and his user account changes the status to Enabled it is an Abnormal Event, so it should be alerted.


So, my question is: how can I identify the legit situation from the not legit one?

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:40 AM

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

SIEMStudent
Path Finder
‎03-10-2022 03:57 AM

Hi Giuseppe, thanks a lot, it works!

Ciao.

Luca

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:40 AM

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...