New users who have not changed their passwords

Comments

5 comments

  • Official comment
    Avatar
    Eli Jang

    You can customize the below query. 
    _sourceCategory=windows
    | json field=_raw "EventData.TargetUserName" as user_name
    | if (EventID = "4720", 1, 0) as user_created
    | if (EventID = "4723", 1, 0) as password_changed
    | if (EventID = "4724", 1, 0) as password_reset
    | where user_created = 1
    | count by user_name, user_created, password_changed, password_reset
    | fields- _count

    Output (1 is done, 0 is not)


    Comment actions Permalink
  • Avatar
    Zack Luksha

    Thank you! Is it possible to write this in regex as well?

    0
    Comment actions Permalink
  • Avatar
    Eli Jang

    | parse regex "EventID\s=\s\"(?<event_id>\S+)\";" 

    0
    Comment actions Permalink
  • Avatar
    Harinder Bhandari

    Hi Zack

    You can use this search using parse regex:

    _sourceCategory=windows ("4720" OR "4723" OR "4724")
    | parse regex "\"EventID\"\:\"(?<EventID>.*?)\"," nodrop
    | parse regex "\"TargetUserName\":\"(?<user_name>.*?)\"," nodrop
    | if (EventID = "4720", 1, 0) as user_created
    | if (EventID = "4723", 1, 0) as password_changed
    | if (EventID = "4724", 1, 0) as password_reset
    | where user_created = 1
    | count by user_name, user_created, password_changed, password_reset
    | fields- _count

    Hope this helps.

    Thanks.

    1
    Comment actions Permalink
  • Avatar
    Zack Luksha

    Thank you so much!

    0
    Comment actions Permalink

Please sign in to leave a comment.