Searh queries for o monitoring when users create accounts and then within a given time window
delete the account.
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=4726 OR EventCode=624 OR
EventCode=4720) | eval status=case(EventCode=630, "Account Deletion", EventCode=4726, "Account
Deletion", EventCode=624, "Account Creation", EventCode=4720, "Account Creation") |transaction
user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2 |
where duration < 3600
OR try this
index=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) |rex
field=_raw "(?ms)^(?P\d+\S+\s\S*\s\w+)" | eval status=case(EventCode=630, "Account Deletion",
EventCode=4726, "Account Deletion", EventCode=624, "Account Creation", EventCode=4720,
"Account Creation") |transaction user startswith=status="Account Creation"
endswith=status="Account Deletion" maxevents=2 | where duration < 86400 | eval
Account_Created_Time=mvindex(time,0)|eval
Account_Deleted_Time=mvindex(time,1) |eval Created_Account_EventCode =mvindex(EventCode,0)|
eval Deleted_Account_EventCode =mvindex(EventCode,1)|eval Account_Created_By
=mvindex(src_user,0)|eval Account_Deleted_By=mvindex(src_user,1) | table Account_Created_Time
Account_Created_By Created_Account_EventCode user
Account_Deleted_Time Deleted_Account_EventCode Account_Deleted_By | eval
Account_Deleted_By=if(isnull(Account_Deleted_By),Account_Created_By,Account_Deleted_By) |
Rename user as Account_Created_And_Deleted |
To identofy admin added to groups
(EventCode=4728 OR EventCode=4732 OR EventCode=4756) a_* (Group_Name= OR Group_Name= OR
Group_Name=Group_Name3>
For LDAP group reporting
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs=* | table
sAMAccountName memberOf
To pull latest membership and format each member as a record
index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" | dedup
cn | eval splitted=split(member, "|") | mvexpand splitted | table cn splitted _time
OR
1. index=ad_* objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bar,DC=com" |
fields - _raw | dedup cn | eval splitted=split(member, "|") | mvexpand splitted | eval
Zone="Latest" | table cn splitted Zone _time
2.
3. | append [ | search index=ad_*
objectCategory="CN=Group,CN=Schema,CN=Configuration,DC=foo,DC=bat,DC=com" | fields - _raw
� | eventstats latest(_time) AS latest_timestamp by cn | eval prev_timestamp =
strftime(_time, "%Y-%m-%d %I:%M:%S %p") | where _time < latest_timestamp | dedup cn | eval
splitted=split(member, "|") | mvexpand splitted | eval Zone="Previous" | table cn splitted
Zone _time latest_timestamp ]
4.
5. | stats values(cn) AS cn, values(Zone) as Zone, values(_time) as Timestamp,
values(latest_timestamp) AS latest_timestamp by splitted
6.
7. | nomv Zone
8.
9. | search Zone="Previous"
10.
11. | eval t=now()
12. | eval t_earliest = (t - 86400 * 1)
13.
14. | where latest_timestamp>t_earliest
index=*index_name* (EventCode=4728 OR EventCode=4729) earliest=-5m latest=now
(Group_Name="*Domain Admins*" OR Group_Name="*Group2*")
| rename src_user AS "Actioned By", src_user_first AS "First Name" src_user_last AS "Last
Name" name as "Action Taken"
| rex mode=sed field="Account_Name" "s/CN=//g"
| rex mode=sed field="Account_Name" "s/cn=//g"
| rex mode=sed field="Account_Name" "s/,OU.*//g"
| rex mode=sed field="Account_Name" "s/\\\//g"
| table "Actioned By" "First Name" "Last Name" Account_Name "Action Taken" Group_Name
Account_Domain _time
| sort - _time
Test this first
eventtype=ms_ad_obj_msad_data (admonEventType=Sync) (objectClass="top|person|
organizationalPerson|user") NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table
objectGUID| format])
| head 50000
�If the above completes within reasonable time, then try the following steps to:
Clone the macro "ms_ad_obj_admon_user_base_list" and rename it to
"ms_ad_obj_admon_user_base_temp"
Update the original "ms_ad_obj_admon_user_base_list" macro by adding in the following after
the (objectClass="top|person|organizationalPerson|user") text:
NOT ([| inputlookup AD_User_LDAP_list| fields objectGUID| table objectGUID| format]) | head
50000
Also, remove the search text OR admonEventType=Update OR admonEventType=Deleted so only the
Sync data is initially loaded.
Save the changes, and then run the following search from the search view in the MS Windows AD
Objects application, selecting the appropriate time window for your ActiveDirectory "Sync"
data, you can try All-time first:
|`ms_ad_obj_sched_sync_objects_base("User","user")`
You will need to run this multiple times, probably about 5 times for your environment.
You can check the count of objects in the AD_User_LDAP_list by running | inputlookup
AD_User_LDAP_list | stats count
After you have the table built then you can add back to the text OR admonEventType=Update OR
admonEventType=Deleted to the "ms_ad_obj_admon_user_base_list" macro, then rerun the step 1
searches to capture the updates and deleted events.
After you have the table built remove the NOT ([| inputlookup AD_User_LDAP_list| fields
objectGUID| table objectGUID| format]) | head 50000 text from the
"ms_ad_obj_admon_user_base_list"
