Time stamp for disable account

Is there a way to query when a user is disabled and find out the time/date of the disabled user?

hi @dce

on your domain controllers, via the AD event source or using the agent running on domain controllers with the setting enabled to collect WMI logs.

You should see a logset in log search called AD Admin Activity.

In this logset if you search for the event code 4725 you should see user account disabled log events.

groupby(source_json.eventCode) to see all of the event codes. or groupby(action) to see the human readable actions.

where(source_json.eventCode=4725)

where(action=ACCOUNT_DISABLED)

to see user account disabled events.

You may need to adjust the time range to the relevant time span for your search,

David

Awesome, this works. I did the same for deleted user accounts event ID 4726 and couldn’t find deleted user accounts. I know for a fact we have deleted users. Have you encountered this issue?

We don’t natively collect that event, if you have send unparsed data enabled on the AD event source however you should see it in the Raw Logs or Unparsed Data logsets

You can see the list of events we pull and parse natively here Active Directory | InsightIDR Documentation

David

1 Like

As David said, they don’t natively collect the deleted account event id, and sending our unparsed usage would further increase our data usage.

I ran in to this issue recently trying to track down who and when an account was deleted. I have submitted this as an enhancement request (idea 4493). I would suggest possibly raising a request too as it would help show there is demand for it. Share an idea with Rapid7 | Insight Platform Documentation

1 Like