-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathParseEventID4738.kql
71 lines (71 loc) · 4.02 KB
/
ParseEventID4738.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
WindowsEvent
| where EventID == 4738
| extend x = extract_all(@"([0-9]{4})", UserAccountControl)
| mv-expand x
| extend UserAccountControlDescription = case
(
x == "2048", strcat("Account Enabled"),
x == "2049", strcat("Home Directory Required - Disabled"),
x == "2050", strcat("Password Not Required - Disabled"),
x == "2051", strcat("Temp Duplicate Account - Disabled"),
x == "2052", strcat("Normal Account - Disabled"),
x == "2053", strcat("MNS Logon Account - Disabled"),
x == "2054", strcat("Interdomain Trust Account - Disabled"),
x == "2055", strcat("Workstation Trust Account - Disabled"),
x == "2056", strcat("Server Trust Account - Disabled"),
x == "2057", strcat("Don't Expire Password - Disabled"),
x == "2058", strcat("Account Unlocked"),
x == "2059", strcat("Encrypted Text Password Allowed - Disabled"),
x == "2060", strcat("Smartcard Required - Disabled"),
x == "2061", strcat("Trusted For Delegation - Disabled"),
x == "2062", strcat("Not Delegated - Disabled"),
x == "2063", strcat("Use DES Key Only - Disabled"),
x == "2064", strcat("Don't Require Preauth - Disabled"),
x == "2065", strcat("Password Expired - Disabled"),
x == "2066", strcat("Trusted To Authenticate For Delegation - Disabled"),
x == "2067", strcat("Exclude Authorization Information - Disabled"),
x == "2068", strcat("Undefined UserAccountControl Bit 20 - Disabled"),
x == "2069", strcat("Protect Kerberos Service Tickets with AES Keys - Disabled"),
x == "2070", strcat("Undefined UserAccountControl Bit 22 - Disabled"),
x == "2071", strcat("Undefined UserAccountControl Bit 23 - Disabled"),
x == "2072", strcat("Undefined UserAccountControl Bit 24 - Disabled"),
x == "2073", strcat("Undefined UserAccountControl Bit 25 - Disabled"),
x == "2074", strcat("Undefined UserAccountControl Bit 26 - Disabled"),
x == "2075", strcat("Undefined UserAccountControl Bit 27 - Disabled"),
x == "2076", strcat("Undefined UserAccountControl Bit 28 - Disabled"),
x == "2077", strcat("Undefined UserAccountControl Bit 29 - Disabled"),
x == "2078", strcat("Undefined UserAccountControl Bit 30 - Disabled"),
x == "2079", strcat("Undefined UserAccountControl Bit 31 - Disabled"),
x == "2080", strcat("Account Disabled"),
x == "2081", strcat("Home Directory Required - Enabled"),
x == "2082", strcat("Password Not Required - Enabled"),
x == "2083", strcat("Temp Duplicate Account - Enabled"),
x == "2084", strcat("Normal Account - Enabled"),
x == "2085", strcat("MNS Logon Account - Enabled"),
x == "2086", strcat("Interdomain Trust Account - Enabled"),
x == "2087", strcat("Workstation Trust Account - Enabled"),
x == "2088", strcat("Server Trust Account - Enabled"),
x == "2089", strcat("Don't Expire Password - Enabled"),
x == "2090", strcat("Account Locked"),
x == "2091", strcat("Encrypted Text Password Allowed - Enabled"),
x == "2092", strcat("Smartcard Required - Enabled"),
x == "2093", strcat("Trusted For Delegation - Enabled"),
x == "2094", strcat("Not Delegated - Enabled"),
x == "2095", strcat("Use DES Key Only - Enabled"),
x == "2096", strcat("Don't Require Preauth - Enabled"),
x == "2097", strcat("Password Expired - Enabled"),
x == "2098", strcat("Trusted To Authenticate For Delegation - Enabled"),
x == "2099", strcat("Exclude Authorization Information - Enabled"),
x == "2100", strcat("Undefined UserAccountControl Bit 20 - Enabled"),
x == "2101", strcat("Protect Kerberos Service Tickets with AES Keys - Enabled"),
x == "2102", strcat("Undefined UserAccountControl Bit 22 - Enabled"),
x == "2103", strcat("Undefined UserAccountControl Bit 23 - Enabled"),
x == "2104", strcat("Undefined UserAccountControl Bit 24 - Enabled"),
x == "2105", strcat("Undefined UserAccountControl Bit 25 - Enabled"),
x == "2106", strcat("Undefined UserAccountControl Bit 26 - Enabled"),
x == "2107", strcat("Undefined UserAccountControl Bit 27 - Enabled"),
x == "2108", strcat("Undefined UserAccountControl Bit 28 - Enabled"),
x == "2109", strcat("Undefined UserAccountControl Bit 29 - Enabled"),
x == "2110", strcat("Undefined UserAccountControl Bit 30 - Enabled"),
x == "2111", strcat("Undefined UserAccountControl Bit 31 - Enabled"),
"Unknown")