users account was disabled in July. but suddenly it was enabled in October and performed password reset by an IT person. I wanted to set an alert for such cases in future so that I'll be notified for such activites
A step-by-step approach might look something like this:
EventCode=4725 OR EventCode=4722 earliest=-60d
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account
Presuming your data source is Active Directory and you've got some parsing happening!
A step-by-step approach might look something like this:
EventCode=4725 OR EventCode=4722 earliest=-60d
| eval account=mvindex(Account_Name,1)
| stats values(_time) as times, earliest(EventCode) as firstEvent, latest(EventCode) as lastEvent by account
| replace "4722" with "enabled" in firstEvent, lastEvent
| replace "4725" with "disabled" in firstEvent, lastEvent
| search account != "*\$" AND firstEvent != "enabled" AND lastEvent != "disabled"
| convert ctime(times)
| table times, firstEvent, lastEvent, account
Presuming your data source is Active Directory and you've got some parsing happening!
Hi Samhays
Can we modify this query a bit more?
I want the list of accounts which were disabled earlier and after 60 days or more someone again enabled them?
is this possible?
I'm not sure I fully understand - could you write up some example output?
Hi Sam - Currently i m getting view as below.
08/18/2018 01:47:17
08/29/2018 22:10:24
firstevent: disabled
Lastevent :enabled
Now i want those usernames, who were disabled 2 months ago or more.
There was no activity on those accounts in the meantime and suddenly after 2 months someone enabled the accounts again.
eg. Disabled on : 01 June 2018 12:xx:xx
Enabled on : 10 Oct 2018 12:xx:xx
username : xxx
by whom : abc person
- The intended time gap between disabling and enabling should be 60 days or more.
I hope you understand what I wanted to explain 😕
thanks in advance for your help
@abhijeetbhadane - Can you please give sample event here?
I have used the below query to find out user accounts which were disabled and then enabled after 30 days in AD.
index=* host="o365:ms" (Operation="Enable account." OR Operation="Disable account.") earliest=-30d object_id="*@domain.com"
| stats stats values(_time) as times earliest(Operation) as firstEvent latest(Operation) as lastEvent by username
| replace "Enable account." with "enabled" in firstEvent, lastEvent
| replace "Disable account." with "disabled" in firstEvent, lastEvent
| search firstEvent="disabled" AND lastEvent="enabled"
|table firstEvent lastEvent ObjectId |convert ctime(times)
Its not giving me the desired results.
Can someone help me in resolving this?