This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
index=YOURINDEX EventCode IN (4725,4722) earliest=-90d | eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it``` | stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation``` | eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them``` | replace "4722" with "enabled" in firstEvent, lastEvent | replace "4725" with "disabled" in firstEvent, lastEvent | search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled" | eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled``` | where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling``` | table first_action_user, account, last_action_user, disabled_DT, enabled_DT | rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled" | convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time``` |
