Dashboard Query: Enabled Accounts

Document created by Spencer Engleson Employee on Oct 27, 2016Last modified by Spencer Engleson Employee on Oct 27, 2016
Version 2Show Document
  • View in full screen mode

These queries show users who own accounts that have been recently enabled.  There are several variants of this query, explained below.

 

Log Set: Active Directory Admin Activity

Event Source: Active Directory

 

Users with Recently Enabled Accounts

This query shows all users who own accounts that have been enabled in the set timespan.  Recommended visualization option is a table (the "Count" column is the total number of events for the target user that have occurred in the selected time range):

 

     where(action="ACCOUNT_ENABLED") groupby(target_user)

 

 

Note that you can change the groupby from target_user to source_user to show all users who are responsible for enabling other users, rather than the users who were enabled.

 

Recently Enabled Accounts

This query shows the accounts, rather than the users, that have been enabled in the set timespan:

 

     where(action="ACCOUNT_ENABLED") groupby(target_account)

 

Enabled Accounts Trend over Time

To see a trend over time for forced password resets, utilize a count function, a timeline chart, and a longer time range to show the number of forced password resets over time:

     where(action="ACCOUNT_ENABLED") calculate(count)

 

Attachments

    Outcomes