{
  "id": "4722",
  "source": "windows_security",
  "category": "AccountMgmt",
  "name": "A user account was enabled",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-11",
  "definition": "Event ID 4722 records enabling of a user account.",
  "trigger_scenarios": "Windows logs it when an administrator or workflow enables a local or domain account.",
  "key_fields": [
    {
      "field": "Target Account",
      "explanation": "The account enabled; dormant, disabled, and privileged accounts require context."
    },
    {
      "field": "Subject",
      "explanation": "The actor who enabled it."
    },
    {
      "field": "Target SID",
      "explanation": "A stable identity for correlating renamed accounts."
    }
  ],
  "false_positives": [
    "Onboarding and identity workflows enable valid accounts.",
    "Helpdesk staff re-enable accounts after lockout or leave."
  ],
  "related_event_ids": [
    "4720",
    "4725",
    "4738"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1098",
      "technique_name": "Account Manipulation"
    }
  ],
  "detection_notes": "T1098 persistence is concrete when an account disabled by 4725 is re-enabled by 4722 and receives a Type 10 4624 within 60 minutes. The 60-minute sequence distinguishes ordinary onboarding from rapid restoration of a dormant access path.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4722\n| project TimeGenerated, Computer, Account, TargetAccount, TargetSid",
  "spl_snippet": "index=wineventlog EventCode=4722 | table _time, host, SubjectUserName, TargetUserName, TargetSid",
  "sample_log": "Subject: CORP\\admin.ops\nTarget Account: CORP\\former.user\nTarget SID: S-1-5-21-REDACTED",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722",
  "route": "/windows-events/4722/",
  "canonical_url": "https://soceventlookup.com/windows-events/4722/",
  "json_url": "/api/events/windows-security/4722.json"
}
