Some time ago an account got disabled at a place where I was working that was critical to a legacy system operating, and things ground to a halt. Anyone with an admin account got (somewhat jokingly) accused of disabling the account. No one was really sure who had done it, or when. Being easily offended and paranoid it got my cogs whirring:
Had I done it without realising? Could I prove who it was (hopefully not me!) This particular company already had configured:
· A log analytics workspace with Azure Sentinel Enabled
· Data connectors for various services
· Monitoring Agents deployed to all on premises and Azure servers (importantly here, ALL domain controllers were feeding in Security Event Info in to the workspace)
This meant that in this Log Analytics workspace, amongst all this masses of good data, I would be able to find the answer to the question of who disabled the account. Where data connectors are deployed, there are workbooks available to visualise all the data and other tools to help, but I just wanted to quickly search for what I needed. Getting this data in to the workspace will cost some money but gives you massive power to do oh so many things. For me to find out what had happened, enter Kusto Query Language – KQL, a language similar to SQL. So how did I prove my innocence?
Knowing what you are looking for – Old school event ID
From my past Windows days, I know that this Event ID refers to a windows account being disabled. So the first step is translating what you want to find out into that good old Windows Event ID. This is the Event ID for an account disable.
4725 (in Microsoft Windows Security Auditing)
I also knew that in this event ID, there would be a target account (the account that was disabled) and a subject account (who did the disabling deed!)
Sentinel
So I went into the Sentinel workspace, to the logs section and ran
SecurityEvent
| where EventID == 4725 and TargetUserName == “critical_account”
| where TimeGenerated > ago(1d)
This gives me a result of when the account of the target name was disabled, and by whom in the last 24h
Case closed your honour! But just think how you could tweak this query, add to it, and use it to feed in to some sort of automation or alerting. The possibilities are endless if you have the data.
