Splunk Search

How to search an event ID for password expiration enabled

wingstopdgon
New Member

I am trying to search event logs for an event when a user password is set to not expire. But the alert I have setup flags for all account changes not just the one where the Don't expire password - enabled. Any assistance is appreciated.

Here is the search string I have.

source="WinEventLog:security" EventCode=4738
user=*
| eval Modifier=mvindex(Security_ID,0)
| eval AccountChanged=mvindex(Security_ID,1)
| eval ActionTaken=case(EventCode="4738","User Account Control")
| eval ActionHelper=case(EventCode="4738","Don't Expire Password - enabled")
| table _time, Modifier, ActionTaken, AccountChanged, ActionHelper

Tags (1)
0 Karma

pkeenan87
Communicator

The field should be parsing by default. Do you have the Splunk TA for Windows installed on the Search Head (Link: https://splunkbase.splunk.com/app/742/)? If so, this search should work:

index=<<your_index>> source="WinEventLog:security" EventCode=4738 Account_Expires="<never>"
0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...