User shows AD account is disabled in IDR but in actual AD it is not


I am getting investigations on a user whos AD account is shown as disabled in IDR but the users account is actually enabled when checking in AD.

At first I thought it was a LDAP log source collection issues which I checked and it is not.

Anything else I can check to see why this is happening?

Hi @afaugno,

I’d recommend you raise a support case so that we can take a closer look at the specific user.

You are right that usually the issue lies with the LDAP event source. As this is the source of truth IDR uses to establish a users account status.

However its possible that IDR is not updating a user record for some unknown reason, we will need to know the user details to troubleshoot further.