Splunk Search

Windows account enabled after been disabled

SIEMStudent
Path Finder

Hi Splunkers,

i'm trying to build a most common search, wich is: track when a WIndows/Active Directory account is changed from disabled to enabled.
The starting point, the switching to enable, is not a problem for me; this because I know that tracking the EventCode=4722 help me with this scenario.

The "but" here is the following: the customer want to be able to distinguish the legit changes from not legit ones.
Here there are two tipical scenario, one admitted and one not:

New User
When a new user arrives in the company and their user account is created, Active Directory first generates an account creation event and then generates another user account enable event.
This case should not be alerted because it is a normal process.

User disabled in the company
When a user left the company some time ago and his user account changes the status to Enabled it is an Abnormal Event, so it should be alerted.


So, my question is: how can I identify the legit situation from the not legit one?

 

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

View solution in original post

SIEMStudent
Path Finder

Hi Giuseppe, thanks a lot, it works!

Ciao.

Luca

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SIEMStudent,

assuming that a user is enabled soon after creation, you could run something like this:

 

index=wineventlog (EventCode=4720 OR EventCode=4722)
| stats dc(EventCode) AS dc_EventCode values(EventCode) As EventCode BY user
| search dc_EventCode=1 AND EventCode=4722

 

in this way, you exclude from results the condition where both the EventCodes are present.

Ciao.

Giuseppe

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...