topic Identify users who changed their password in the last 48 hours in Cortex XDR Discussions

Identify users who changed their password in the last 48 hours

LeandroKopke — Thu, 16 Jan 2025 19:11:27 GMT

Hi!

I am having difficulty performing an activity that consists of:

I have an XQL query that validates unsuccessful logon attempts using EventID 4625. This query is functional and searches the logs for the last 7 days.
I need to add a filter to this query that identifies whether the user has had their password changed in the last 48 hours, using EventID 4724 and 4725. And if they have changed it, it will not show results in the original query.
What syntax should I use?

Re: Identify users who changed their password in the last 48 hours

nsinghvirk — Mon, 20 Jan 2025 15:01:08 GMT

Hello @LeandroKopke

Thanks for reaching out on LiveCommunity!

Please try below query. This will filter out password reset events less than 48 hours ago and list failed login attempts.

dataset = xdr_data
| filter action_evtlog_event_id = 4724
| alter interval = timestamp_diff(current_time(),_time,"HOUR")
| filter interval > 48
| filter action_evtlog_event_id = 4625

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Re: Identify users who changed their password in the last 48 hours

SorinP — Tue, 21 Jan 2025 16:09:35 GMT

Hi Leandro

Can you try this query?

dataset = xdr_data
| filter timestamp_diff(current_time(),_time,"hour")<=48
| filter event_type = EVENT_LOG and action_evtlog_event_id in (4724) and agent_hostname in ("*")
| alter User_Name = lowercase(arrayindex(regextract(action_evtlog_message, "An attempt was made to reset an account's password.:\r\n.*\r\n.*Account Name:.*?(\w.*)\r\n"),0))
| alter Account_Name = arrayindex(regextract(action_evtlog_message, "Account Name:.*?(\w.*)\r\n"),0),
Account_Domain = arrayindex(regextract(action_evtlog_message , "Account Domain:.*?(\w.*)\r\n"),0),
Message =arrayindex(regextract(action_evtlog_message , ".*?(\w.*)\r\n"),0),
Logon_ID = arrayindex(regextract(action_evtlog_message,"Logon ID:.*?(\w.*)\r\n"),0),
Failure_reason = arrayindex(regextract(action_evtlog_message,"Failure Reason.*?(\w.*)\r\n"),0),
Status = arrayindex(regextract(action_evtlog_message,"Status:.*?(\w.*)\r\n"),0),
Sub_status = arrayindex(regextract(action_evtlog_message,"Sub Status:.*?(\w.*)\r\n"),0),
Workstation_Name = arrayindex(regextract(action_evtlog_message,"Workstation Name:.*?(\w.*)\r\n"),0)
| fields agent_hostname , Message , User_Name ,Account_Domain , Logon_ID , Workstation_Name