Account Enabled in Windows

The following Splunk queries will show any accounts that have been enabled from a previously disabled state.

Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Windows Server 2008 and Newer:

sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, "%Y/%m/%d") |rex "ID:\s+\w+\\\(?<sourceaccount>\S+)\s+" | rex "Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+" | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename sourceaccount as "Source Account" | rename targetaccount as "Target Account" | sort - Date

Windows Server 2003 and Older:

sourcetype=WinEventLog:Security (EventCode=626) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, Type, host | sort - Date

 

Share This:

Leave A Comment?