Multiple Account Disabled by an Administrator
Detect multiple accounts being disabled by an Administrator
This content is not mapped to any local saved search. Add mapping
How to Implement
You should configure your audit policy to include these events (4725 and 629) and log the events using a Splunk Universal Forwarder or via other means. You’ll also want to manually edit the assets/identity list to define a few privileged administrator/privileged accounts.
Known False Positives
The biggest potential false positive from this detection if a legitimate account is used to bulk disable accounts as part of an active directory cleanup service, disabling user-accounts which have not been used in X number of days/weeks, etc.
Beyond that, there are no known sources of false positives for this search.
How To Respond
When this search returns values, initiate your incident response process and verify whether this account owner has authority to bulk disable accounts. If not, if not, begin remediation process.
Multiple Account Disabled by an Administrator Help
This example leverages the Simple Search assistant. Our dataset is a collection of Windows security events for user user account disable. We filter for that in a short period of time. Anything a series of matches hits, we will surface.
SPL for Multiple Account Disabled by an Administrator
|Here we start with a a data set from the Windows event codes we are considering|
|We count the number of events by user host and event name|
|This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.|
|Filter on privileged users only.|