Unchanged user password query for certain time frame
I am looking to create a query that tells me when a user has not changed their password in a certain time frame. I am wondering if I can create a query that shows the lack of a password change and how long that has been with an alert that triggers after a certain time frame.
-
Official comment
sample below.
_sourceCategory=windows
| json "TimeCreated", "EventData.TargetUserName" as event_time, user_name
| where EventID = "4723"
| parseDate(event_time, "yyyy-MM-dd'T'HH:mm:ss", "Asia/Tokyo") as pw_changed_at
| now() as currentTime
| ((currentTime - pw_changed_at)/ (86400000)) as days
| round(days, 2) as duration_days
| where duration_days > 30
| formatDate(toLong(pw_changed_at), "yyyy-MM-dd'T'HH:mm:ss") as pw_changed_at
| formatDate(toLong(currentTime), "yyyy-MM-dd'T'HH:mm:ss") as currentTime
| fields user_name, pw_changed_at, currentTime, duration_daysComment actions -
| parse regex "TimeCreated:\s\"(?<time_created>\S+)\","
Refer to
-
Hi Zack,
You can use this search query:
_sourceCategory=windows ("4723")
| parse regex "\"EventID\"\:\"(?<EventID>.*?)\"," nodrop
| parse regex "\"TimeCreated\":\"(?<event_time>.*?)\"," nodrop
| parse regex "\"TargetUserName\":\"(?<user_name>.*?)\"," nodrop
| where EventID = "4723"| parseDate(event_time, "yyyy-MM-dd'T'HH:mm:ss", "America/Los_Angeles") as pw_changed_at
| now() as currentTime
| ((currentTime - pw_changed_at)/ (86400000)) as days
| round(days, 2) as duration_days
| where duration_days > 5
| formatDate(toLong(pw_changed_at), "yyyy-MM-dd'T'HH:mm:ss") as pw_changed_at
| formatDate(toLong(currentTime), "yyyy-MM-dd'T'HH:mm:ss") as currentTime
| count by user_name, pw_changed_at, currentTime, duration_days
| fields - _countHope this helps.
Thanks.
Please sign in to leave a comment.
Comments
5 comments