This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Identify users who changed their password in the last 48 hours

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Identify users who changed their password in the last 48 hours

LeandroKopke
L0 Member

‎01-16-2025 11:11 AM

Hi!

I am having difficulty performing an activity that consists of:

I have an XQL query that validates unsuccessful logon attempts using EventID 4625. This query is functional and searches the logs for the last 7 days.
I need to add a filter to this query that identifies whether the user has had their password changed in the last 48 hours, using EventID 4724 and 4725. And if they have changed it, it will not show results in the original query.
What syntax should I use?

0 Likes Likes
2 REPLIES 2

nsinghvirk
L4 Transporter

‎01-20-2025 07:01 AM

Hello @LeandroKopke 

 

Thanks for reaching out on LiveCommunity!

Please try below query. This will filter out password reset events less than 48 hours ago and list failed login attempts.

dataset = xdr_data
| filter action_evtlog_event_id = 4724
| alter interval = timestamp_diff(current_time(),_time,"HOUR")
| filter interval > 48
| filter action_evtlog_event_id = 4625

 

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

0 Likes Likes

SorinP
L0 Member

‎01-21-2025 08:03 AM - edited ‎01-21-2025 08:09 AM

Hi Leandro

Can you try this query?

dataset = xdr_data
| filter timestamp_diff(current_time(),_time,"hour")<=48
| filter event_type = EVENT_LOG and action_evtlog_event_id in (4724) and agent_hostname in ("*")
| alter User_Name = lowercase(arrayindex(regextract(action_evtlog_message, "An attempt was made to reset an account's password.:\r\n.*\r\n.*Account Name:.*?(\w.*)\r\n"),0))
| alter Account_Name = arrayindex(regextract(action_evtlog_message, "Account Name:.*?(\w.*)\r\n"),0),
Account_Domain = arrayindex(regextract(action_evtlog_message , "Account Domain:.*?(\w.*)\r\n"),0),
Message =arrayindex(regextract(action_evtlog_message , ".*?(\w.*)\r\n"),0),
Logon_ID = arrayindex(regextract(action_evtlog_message,"Logon ID:.*?(\w.*)\r\n"),0),
Failure_reason = arrayindex(regextract(action_evtlog_message,"Failure Reason.*?(\w.*)\r\n"),0),
Status = arrayindex(regextract(action_evtlog_message,"Status:.*?(\w.*)\r\n"),0),
Sub_status = arrayindex(regextract(action_evtlog_message,"Sub Status:.*?(\w.*)\r\n"),0),
Workstation_Name = arrayindex(regextract(action_evtlog_message,"Workstation Name:.*?(\w.*)\r\n"),0)
| fields agent_hostname , Message , User_Name ,Account_Domain , Logon_ID , Workstation_Name

image.png
Preview file
94 KB
image.png
Preview file
96 KB
0 Likes Likes
  • 441 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks