https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484804#M135708 <P>Hello.</P> <P>I'm struggling with a query. We want to search Windows Event logs for accounts whose passwords have not been changed (by admins) for more than 700 days. I have created a query that informs me of when a password was changed:</P> <PRE><CODE> index=main host=*DC* EventCode=4724 | eval Modifier = mvindex(Account_Name, 0) | eval User_Name = mvindex(Account_Name, 1) | rename Group_Name AS Modified_Group | table _time Modifier User_Name </CODE></PRE> <P>But I do not know how to get Splunk to check for a password that has NOT been changed for over X days. Is this even possible?</P> <P>Thank you in advance for your help.</P> Wed, 13 Nov 2019 18:48:03 GMT Branden 2019-11-13T18:48:03Z https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484804#M135708 <P>Hello.</P> <P>I'm struggling with a query. We want to search Windows Event logs for accounts whose passwords have not been changed (by admins) for more than 700 days. I have created a query that informs me of when a password was changed:</P> <PRE><CODE> index=main host=*DC* EventCode=4724 | eval Modifier = mvindex(Account_Name, 0) | eval User_Name = mvindex(Account_Name, 1) | rename Group_Name AS Modified_Group | table _time Modifier User_Name </CODE></PRE> <P>But I do not know how to get Splunk to check for a password that has NOT been changed for over X days. Is this even possible?</P> <P>Thank you in advance for your help.</P> Wed, 13 Nov 2019 18:48:03 GMT https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484804#M135708 Branden 2019-11-13T18:48:03Z https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484805#M135709 <P>Hi Branden,</P> <P>I think the answer is quite easy, but not what you expect:<BR /> - Install the SA-ldapsearch (Splunk Supporting Add On for Active Directory) <A href="https://splunkbase.splunk.com/app/1151/">https://splunkbase.splunk.com/app/1151/</A><BR /> - do an LDAP-Search on your tree and look for (objectClass=shadowAccount) and the field shadowLastChange (date of last password change)</P> <P>Hope it helps<BR /> Oliver</P> Wed, 13 Nov 2019 19:09:30 GMT https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484805#M135709 ololdach 2019-11-13T19:09:30Z https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484806#M135710 <P>Thank you for your response. We have an AD environment and a separate LDAP environment (running on Linux). Your solution would work for our LDAP logs, but for AD all I have to go by are the Windows Event Logs. </P> Wed, 13 Nov 2019 19:13:33 GMT https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484806#M135710 Branden 2019-11-13T19:13:33Z https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484807#M135711 <P>Hi Branden, the solution works fine with AD, provided you get a read-only AD user set up in your AD domain. If you can't get access, though, this page tells you the right messages to get into splunk and look for: <A href="https://blogs.manageengine.com/active-directory/2018/08/23/monitoring-service-account-password-changes-active-directory.html">https://blogs.manageengine.com/active-directory/2018/08/23/monitoring-service-account-password-changes-active-directory.html</A><BR /> Best<BR /> Oliver</P> Thu, 14 Nov 2019 06:04:01 GMT https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484807#M135711 ololdach 2019-11-14T06:04:01Z https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484808#M135712 <P>You were absolutely right. I misunderstood what you were saying. <BR /> I worked with one of our admins and we have the query working. You're right - it's quite an easy solution. Thank you very much!</P> Fri, 15 Nov 2019 17:08:14 GMT https://community.splunk.com/t5/Splunk-Search/Check-for-event-that-has-not-changed-for-X-days/m-p/484808#M135712 Branden 2019-11-15T17:08:14Z