Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search for resting users and users changing their password

philman15
New Member
‎02-06-2020 09:04 AM

I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL:

index=wineventlog  EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| table _time, Modifier, Member_Modified, EventCode

This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.

0 Karma
Reply

to4kawa
Ultra Champion
‎02-06-2020 06:14 PM 
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by  Modifier Member_Modified
| where flag > 1

Do you need Modifier_Domain and Modifiered_Domain ?

0 Karma
Reply

philman15
New Member
‎03-05-2020 04:23 AM

@Tokawa that works to a point im trying to show users that do not change the password after the reset per policy i changed it to this but its still off a little.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval secondsAgoStr=tostring(now() - _time, "duration")
| search Member_Modified="user*"
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Member_Modified, secondsAgoStr
| dedup Member_Modified
| where flag !=2 AND EventCode!=4723

still not working 100% if trying to show a eventcode 4724 without the 4723 following it

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-06-2020 09:44 AM

Try this. It uses dedup to find the most recent event for each modification and then filters out the changed events, which should leave the reset events without a subsequent change event.

index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| dedup Modified, Member_Modified
| where EventCode!=4723
| table _time, Modifier, Member_Modified, EventCode
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

starcher
Influencer
‎02-06-2020 11:41 AM

don't use table in combination with base search with large event count. table is not a streaming command. use fields or a stats.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...