Solved: How do I create a search for Event id 4742 (-30 Da...

Freeza · ‎06-01-2023

hi team,
I'm creating a query that I need to look for if a machine changed the password (Password_last_set) more than once for a period of 30 days. I'm not getting it, can you help me? example: if I put the code below with earliest=-90d it brings me the 3 changes. more if I put | search count > 1 it doesn't gather the information and doesn't bring me the statistics.

some help me?

Query: (Dont Work)

index="main" source="wineventlog:security" EventCode=4742 user="TRBK8SPRD06$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) by Password_Last_Set, user, signature

| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime) |  search count > 1

WORK:

index="main" source="wineventlog:security" EventCode=4742 user="TRBK8SPRD06$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) by Password_Last_Set, user, signature

| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime)

thanks in advanced

ITWhisperer · ‎06-01-2023

Try where instead of count

| where count > 1

View solution in original post

ITWhisperer · ‎06-01-2023

Try where instead of count

| where count > 1

Freeza · ‎06-02-2023

hi bro,

it worked, for those who want to use or improve.

index="main" source="wineventlog:security" EventCode=4742 user="hostname$"
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(user) as machines by user, signature
| convert timeformat="%d/%m/%Y %H:%M:%S" ctime(firstTime) | convert timeformat="%d/%m/%Y %H:%M:%S" ctime(lastTime) | where count > 1

thanks in advanced

How do I create a search for Event id 4742 (-30 Days)?

count

other

stats

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel