Hi Splunkers,
i'm trying to build a most common search, wich is: track when a WIndows/Active Directory account is changed from disabled to enabled.
The starting point, the switching to enable, is not a problem for me; this because I know that tracking the EventCode=4722 help me with this scenario.
The "but" here is the following: the customer want to be able to distinguish the legit changes from not legit ones.
Here there are two tipical scenario, one admitted and one not:
New User
When a new user arrives in the company and their user account is created, Active Directory first generates an account creation event and then generates another user account enable event.
This case should not be alerted because it is a normal process.
User disabled in the company
When a user left the company some time ago and his user account changes the status to Enabled it is an Abnormal Event, so it should be alerted.
So, my question is: how can I identify the legit situation from the not legit one?
Hi @SIEMStudent,
assuming that a user is enabled soon after creation, you could run something like this:
index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722
in this way, you exclude from results the condition where both the EventCodes are present.
Ciao.
Giuseppe
Hi Giuseppe, thanks a lot, it works!
Ciao.
Luca
Hi @SIEMStudent,
assuming that a user is enabled soon after creation, you could run something like this:
index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722
in this way, you exclude from results the condition where both the EventCodes are present.
Ciao.
Giuseppe