@EMDEEEEE 
As others mentioned you need provide more context. If its for Windows Logs in Splunk, you can use below,

Password reset event id's are 4723 and 4724

index=YOUR_INDEX sourcetype="WinEventLog:Security" (EventCode=4723 OR EventCode=4724)
| eval Action=case(EventCode=4723,"Password Change Attempt", EventCode=4724,"Password Reset")
| table _time user Account_Name Target_Account_Name Action host
| sort - _time

Interactive & Non-interactive
Successful logons are EventCode 4624. The Logon_Type field tells you the type.

Interactive: 2 (console), 10 (remote desktop), 11 (cached) and rest you can normally mention as non-interactive

Account Disabled - Use EventCode 4725

index=YOUR_INDEX sourcetype="WinEventLog:Security" EventCode=4725
| eval Action="Account Disabled"
| table _time Target_Account_Name user host Action
| sort - _time

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Hi @EMDEEEEE 

What are the logs you are ingesting that you are looking for? There are a number of existing searches in the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435) and also at https://research.splunk.com/detections/ which might help you, it ultimately depends on the data you are ingesting.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful

• Marking it as the solution if it resolved your issue

• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

What have you tried so far and how have those efforts not met expectations?

To help with this question, we need more information. 

1. What platform/service is performing the password resets, login attempts, and account disables? 
2. Are those events sent to Splunk?  If not, then no query will work.  Otherwise, it would help to see sample sanitized events.