From 2628909a8e8c6dabe5d8a2ab798d2ad0fdc5af21 Mon Sep 17 00:00:00 2001
From: 0xv1n <11021725+0xv1n@users.noreply.github.com>
Date: Fri, 13 Dec 2024 14:19:15 -0500
Subject: [PATCH] Add: Unlock Activity (#1285)

#### Related Issue:

In Windows, I'd like to be able to distinguish an account enable event
from an account unlock event.

#### Description of changes:

This change would allow for coverage of events such as Windows EID 4767
(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4767).

There is another Windows EID for enabling an account
(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4722)
and I imagine the distinction is importing for mapping.

---------

Signed-off-by: 0xv1n <11021725+0xv1n@users.noreply.github.com>
Co-authored-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
---
 CHANGELOG.md                   | 1 +
 events/iam/account_change.json | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f40abe5ab..0ee01a391 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -110,6 +110,7 @@ Thankyou! -->
     1. Relaxed requirements on the `http_request` and `http_response` attributes in the `http_activity` event class and added an `at_least_one` constraint with these attributes. #1274
     1. Add `host` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1280
     1. Add the `actor` attribute to the IAM base event. #1280
+    1. Add `Unlock` activity to `account_change` class. #1285
 * #### Profiles
     1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178
     1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile.  #1178
diff --git a/events/iam/account_change.json b/events/iam/account_change.json
index 4102572b9..9d15db478 100644
--- a/events/iam/account_change.json
+++ b/events/iam/account_change.json
@@ -50,6 +50,10 @@
         "11": {
           "caption": "MFA Factor Disable",
           "description": "An authentication factor was disabled for an account."
+        },
+        "12": {
+          "caption": "Unlock",
+          "description": "A user account was unlocked."
         }
       }
     },
@@ -68,4 +72,4 @@
       "requirement": "recommended"
     }
   }
-}
\ No newline at end of file
+}