I am working on a Splunk search to see which users have changed their passwords more than a specific number of times over a specific timeframe.
Basically, I want to create a search which detects any Password changes and then looks back to find the last time the password was changed. If it was too soon, alert.
Here is what I currently have for my search which shows password changes. Any assistance on what else I need to add to this search string would be a great help.
index=wineventlog EventCode=4723 status=success user=* |fields user, _time | table user, _time | rename user AS "User"
... View more