Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Windows account enabled after been disabled

SIEMStudent
Path Finder
‎03-10-2022 02:24 AM

Hi Splunkers,

i'm trying to build a most common search, wich is: track when a WIndows/Active Directory account is changed from disabled to enabled.
The starting point, the switching to enable, is not a problem for me; this because I know that tracking the EventCode=4722 help me with this scenario.

The "but" here is the following: the customer want to be able to distinguish the legit changes from not legit ones.
Here there are two tipical scenario, one admitted and one not:

New User
When a new user arrives in the company and their user account is created, Active Directory first generates an account creation event and then generates another user account enable event.
This case should not be alerted because it is a normal process.

User disabled in the company
When a user left the company some time ago and his user account changes the status to Enabled it is an Abnormal Event, so it should be alerted.


So, my question is: how can I identify the legit situation from the not legit one?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:40 AM

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

SIEMStudent
Path Finder
‎03-10-2022 03:57 AM

Hi Giuseppe, thanks a lot, it works!

Ciao.

Luca

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2022 02:40 AM

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...