Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create an Alert on disabled AD accounts...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eblackburn
Path Finder
06-10-2022
07:53 AM
Does anyone have experience writing a query that can be used to alert on disabled AD accounts being re-enabled? I've learned that Windows EventCode 4722 can be used to find accounts being enabled, but I'm unsure of how to correlate that with whether or not the account was in a disabled state beforehand.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stefanie
Builder
06-13-2022
06:43 AM
How long back are you looking to detect when an account was disabled?
I've found a query that may suit your needs
EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stefanie
Builder
06-13-2022
06:43 AM
How long back are you looking to detect when an account was disabled?
I've found a query that may suit your needs
EventCode=4725 OR EventCode=4722 earliest=-60d
|eval account=mvindex(Account_Name,1)
|stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
|replace "4722" with "enabled" in firstEvent, lastEvent
|replace "4725" with "disabled" in firstEvent, lastEvent
|search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
|convert ctime(times)
|table times, firstEvent, lastEvent, account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eblackburn
Path Finder
06-17-2022
12:58 PM
That's really helpful. Thanks!
Get Updates on the Splunk Community!
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Your Guide to SPL2 at .conf24!
So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...
