Splunk Enterprise Security

How to create a search for resting users and users changing their password

philman15
New Member

I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL:

index=wineventlog  EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| table _time, Modifier, Member_Modified, EventCode

This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.

0 Karma

to4kawa
Ultra Champion
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by  Modifier Member_Modified
| where flag > 1

Do you need Modifier_Domain and Modifiered_Domain ?

0 Karma

philman15
New Member

@Tokawa that works to a point im trying to show users that do not change the password after the reset per policy i changed it to this but its still off a little.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval secondsAgoStr=tostring(now() - _time, "duration")
| search Member_Modified="user*"
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Member_Modified, secondsAgoStr
| dedup Member_Modified
| where flag !=2 AND EventCode!=4723

still not working 100% if trying to show a eventcode 4724 without the 4723 following it

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this. It uses dedup to find the most recent event for each modification and then filters out the changed events, which should leave the reset events without a subsequent change event.

index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| dedup Modified, Member_Modified
| where EventCode!=4723
| table _time, Modifier, Member_Modified, EventCode
---
If this reply helps you, Karma would be appreciated.
0 Karma

starcher
Influencer

don't use table in combination with base search with large event count. table is not a streaming command. use fields or a stats.

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...