I am trying to find out all the recent modifications made to an AD user account in our tenancy from Rapid 7. Is there an option in Rapid 7 to achieve this.
Can you please let me know. Thanks
This would depend on the logs flowing into the product, for example if you have the AD event source set up with the Send Unparsed checkbox enabled.
If you’d like a deeper dive on this and don’t want to divulge details publicly I’d suggest raising a support case.
What kind of changes are you looking for?
David
Hi David,
Someone deleted a AD user account which is a resource mailbox account at the start of this month.
I am just trying to find out who did that action through Rapid 7.
Thanks
Sunil.
If you have the send unparsed boxes checked on all AD sources, you can navigate to log search, select the AD sources under the Raw Log logset, and search for where(accountName,loose)
Replacing accountName with the deleted account you are looking for, and span your time range to your rough estimate of when it occurred.
David
1 Like