I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL:
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| table _time, Modifier, Member_Modified, EventCode
This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Modifier Member_Modified
| where flag > 1
Do you need Modifier_Domain
and Modifiered_Domain
?
@Tokawa that works to a point im trying to show users that do not change the password after the reset per policy i changed it to this but its still off a little.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval secondsAgoStr=tostring(now() - _time, "duration")
| search Member_Modified="user*"
| stats latest(_time) as _time dc(EventCode) as flag values(EventCode) as EventCode by Member_Modified, secondsAgoStr
| dedup Member_Modified
| where flag !=2 AND EventCode!=4723
still not working 100% if trying to show a eventcode 4724 without the 4723 following it
Try this. It uses dedup
to find the most recent event for each modification and then filters out the changed events, which should leave the reset events without a subsequent change event.
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| dedup Modified, Member_Modified
| where EventCode!=4723
| table _time, Modifier, Member_Modified, EventCode
don't use table in combination with base search with large event count. table is not a streaming command. use fields or a stats.