I am attempting to create a search to alert on when a previously disabled employee is re-enabled. Currently, my search is as follows:
index=* EventCode=4738 sourcetype="WinEventLog:Security" New_UAC_Value="0x10" | join type=inner [search earliest=-3m@d latest=now index=* sourcetype="WinEventLog:Security" EventCode=4725] | table _time,user,src_user,Old_UAC_Value,New_UAC_Value,EventCode
The first search identifies accounts that have been re-enabled. While this is half the battle, it also includes accounts that are being created or modified in some way. The second search (after the join) identifies disabled accounts. What I need to identify in my search are those accounts that in sometime in the past were disabled, and this more recently re-enabled.
Joining these two searches in the manner above does not produce what I expect it to.
I greatly appreciate any help provided.
↧