The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer: sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, “%Y/%m/%d”) |rex “ID:\s+\w+\\\(?<sourceaccount>\S+)\s+” | rex “Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+” | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename […]
Accounts Enabled
This query will return results on all accounts enabled for a given time range. It is using EventCodes for windows 2008 and newer operating systems: sourcetype=WinEventLog:Security (EventCode=4722) | stats count by index, user, host, name