Unchanged user password query for certain time frame

Comments

5 comments

  • Official comment
    Avatar
    Eli Jang

    sample below.

    _sourceCategory=windows
    | json "TimeCreated", "EventData.TargetUserName" as event_time, user_name
    | where EventID = "4723"
    | parseDate(event_time, "yyyy-MM-dd'T'HH:mm:ss", "Asia/Tokyo") as pw_changed_at
    | now() as currentTime
    | ((currentTime - pw_changed_at)/ (86400000))  as days
    | round(days, 2) as duration_days
    | where duration_days > 30
    | formatDate(toLong(pw_changed_at), "yyyy-MM-dd'T'HH:mm:ss") as pw_changed_at
    | formatDate(toLong(currentTime), "yyyy-MM-dd'T'HH:mm:ss") as currentTime
    | fields user_name, pw_changed_at, currentTime, duration_days

    Comment actions Permalink
  • Avatar
    Zack Luksha

    Thank you so much! Is it possible to also write this in regex?

    0
    Comment actions Permalink
  • Avatar
    Eli Jang

    | parse regex "TimeCreated:\s\"(?<time_created>\S+)\"," 

    Refer to

    https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex

    0
    Comment actions Permalink
  • Avatar
    Harinder Bhandari

    Hi Zack,

    You can use this search query:

    _sourceCategory=windows  ("4723")
    | parse regex "\"EventID\"\:\"(?<EventID>.*?)\"," nodrop
    | parse regex "\"TimeCreated\":\"(?<event_time>.*?)\"," nodrop
    | parse regex "\"TargetUserName\":\"(?<user_name>.*?)\"," nodrop
    | where EventID = "4723"
    | parseDate(event_time, "yyyy-MM-dd'T'HH:mm:ss", "America/Los_Angeles") as pw_changed_at
    | now() as currentTime
    | ((currentTime - pw_changed_at)/ (86400000))  as days
    | round(days, 2) as duration_days
    | where duration_days > 5
    | formatDate(toLong(pw_changed_at), "yyyy-MM-dd'T'HH:mm:ss") as pw_changed_at
    | formatDate(toLong(currentTime), "yyyy-MM-dd'T'HH:mm:ss") as currentTime
    | count by user_name, pw_changed_at, currentTime, duration_days   
    | fields - _count

    Hope this helps.

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Zack Luksha

    Thank you so much!

    0
    Comment actions Permalink

Please sign in to leave a comment.