My requirement is to detect login attempts by a disabled user. Typically this could be found using eventcode 4768 and result code 0x12. I wanted to enhance this to look specifically for a user that has been "disabled" in AD. With this in mind, I wrote the following search that joins 2 indexes that contains the information and it gets the results.
index=windows EventCode=4768 AND Result_Code="0x12" | bucket _time span=5m | stats count by Account_Name | where count > 8
| rename Account_Name AS SamAccountName
| join type=inner [search index=adinfo source=csv:ad Enabled=false | fields SamAccountName]
| table *
While this is good information and achieves my objective, I noted a discrepancy in the counts for certain users. If I drop the join and just use a query such as
index=windows EventCode=4768 AND Result_Code="0x12" | bucket _time span=5m | stats count by Account_Name | where count > 8
I will get results. However what I have noted that some users (not all) show a discrepancy in count. For example
User1 (join shows count of 10 | non-join shows count of 10)
User2 (join shows count of 15 | non-join shows count of 16)
User3 (join shows count of 3400 | non-join shows count of 3459)
User4 (join shows count of 9 | non-join shows count of 9)
User5 (join shows count of 45 | non-join shows count of 45)
User6 (join shows count of 98 | non-join shows count of 99)
I unable to figure out why this discrepancy exists. I also did find that if I then view a particular user (for example User3 from the join statistics) and drill down I eventually end up with the same numbers that I would find in the non-join search.
↧