I found the pwsLastSet field which tells me when a password was actually reset but I'm trying to see who actually reset the password. Is that possible in either the MS Windows AD Objects app or the Splunk App for Windows Infrastructure?
Have you tried something like this...
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1)
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename user as "Password Changed for account", admin as "Changed By"
i am new to splunk so sorry if this question is basic.
i would like to user the search info below. just not sure where to input the username i want to search or the domain to search in