Re: Activity for a privileged account previously d...

wvalente · ‎08-01-2017

Hi Guys,

I need a help to set up a search that alert me when a privileged account was disabled and after habilited in a certain period of time.

I have no idea how I can construct this search.

Help, please.

Tks guys.

gcusello · ‎08-01-2017

Hi wvalente,
I'm not sure abut the EventCode but they should be 4722 (enabled) and 4725 (disabled) so you should try something like this

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4722 OR EventCode=4725)
| transaction Account_Name 
| search EventCode=4722 EventCode=4725

| in this way you create an event that correlate all events of each Account_Name, if there are both EventCode 4722 and 4725 you can trigger an alert.
You can manage time in in earliest and latest.

Bye.
Giuseppe

wvalente · ‎08-01-2017

Hi Giuseppe,

Sorry, I was looking for linux devices.

Do you know?

Tks

gcusello · ‎08-02-2017

it's the same thing, only different field names:

 index=your_index sourcetype=your_sourcetype (EventCode=4722 OR EventCode=4725)
 | transaction user 
 | search EventCode=4722 EventCode=4725

Bye.
Giuseppe

Activity for a privileged account previously disabled and recently rehabilitated

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...