Dashboard Query: Forced Password Resets

Document created by Spencer Engleson Employee on Oct 27, 2016Last modified by Spencer Engleson Employee on Oct 27, 2016
Version 3Show Document
  • View in full screen mode

This query shows users who have had their password reset by another user.  There are a few variants of this query, explained below.


Log Set: Active Directory Admin Activity

Event Source: Active Directory


Password Resets by Target User

This first query will show all users who have been the target of a forced password reset.  Recommended visualization option is a table (the "Count" column is the total number of password reset events for the target user that have occurred in the selected time range):


     where(action="PASSWORD_RESET" AND source_user!=target_user)groupby(target_user)





Password Resets by Source User

Alternatively, changing the groupby to source_user to have the table (or other visualization) show the users who are resetting passwords, rather than the target users:


     where(action="PASSWORD_RESET" AND source_user!=target_user)groupby(source_user)



Password Resets Trend over Time

Lastly, to see a trend over time for forced password resets, utilize a count function, a timeline chart, and a longer time range to show the number of forced password resets over time:


     where(action="PASSWORD_RESET" AND source_user!=target_user) calculate(count)