Search for disabled AD accounts that have been re-enabled

This is a search you can use as an alert or whatever you desire to look for AD accounts that have been disabled in the past 90 days then re-enabled in the past 24h. You can tweak as needed.

index=YOURINDEX EventCode IN (4725,4722) earliest=-90d 
| eval account=mvindex(Account_Name,1) ```separate out the account from the logs and create a field for it```
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent, latest(Account_Name) as lastAccounts, earliest(Account_Name) as firstAccounts by account ```get the stats values of these fields and rename them for further manipulation```
| eval last_action_user=mvindex(lastAccounts,0), first_action_user=mvindex(firstAccounts, 0) ```separate out the accounts that did the disabling & re-enabling and create fields for them```
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| eval enabled_DT=mvindex(times,-1), disabled_DT=mvindex(times, -1-1) ```create fields to show when the affected account was disabled then re-enabled```
| where enabled_DT > relative_time(now(), "-1h@h") ```this determines what range to look for the re-enabling```
| table first_action_user, account, last_action_user, disabled_DT, enabled_DT
| rename first_action_user as "Disable Actioning Account", account as "Enabled Account", last_action_user as "Enable Actioning Account", disabled_DT as "DateTime Disabled", enabled_DT as "DateTime Enabled"
| convert ctime("DateTime Disabled"), ctime("DateTime Enabled") ```need to convert the time from Unix Epoch to standard time```
Share This:

Leave A Comment?