- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to create a search for resting users and users...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a search for resting users and users changing their password
I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL:
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| table _time, Modifier, Member_Modified, EventCode
This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Modifier Member_Modified
| where flag > 1
Do you need Modifier_Domain and Modifiered_Domain ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Tokawa that works to a point im trying to show users that do not change the password after the reset per policy i changed it to this but its still off a little.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval secondsAgoStr=tostring(now() - _time, "duration")
| search Member_Modified="user*"
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Member_Modified, secondsAgoStr
| dedup Member_Modified
| where flag !=2 AND EventCode!=4723
still not working 100% if trying to show a eventcode 4724 without the 4723 following it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. It uses dedup to find the most recent event for each modification and then filters out the changed events, which should leave the reset events without a subsequent change event.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| dedup Modified, Member_Modified
| where EventCode!=4723
| table _time, Modifier, Member_Modified, EventCode
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
don't use table in combination with base search with large event count. table is not a streaming command. use fields or a stats.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
