I'm trying to make a search that allows me to see users resting and changing their password. I have this SPL:
index=wineventlog EventCode=4723 OR EventCode=4724
| eval Modifier = mvindex (Account_Name, 0)
| eval Member_Modified = mvindex (Account_Name, 1)
| eval Modifier_Domain = mvindex (Account_Domain, 0)
| eval Modified_Domain = mvindex (Account_Domain, 1)
| table _time, Modifier, Member_Modified, EventCode
This shows me all the changes of the event codes in my environment, I was wondering if there was a way to take away the users that have both a 4724 (reset) and then a 4723(changed) that way I can see what users still have to change their password after the reset.
... View more