I am working on generating a raw log query from AD - User Acct password has been reset 5 times within 10 minutes. I can query on the event ID, and can set the threshold, but I am not sure how to key the query to check and see if it’s the same account for that threshold?
Thanks!
@mkarolitzky is the goal to build a custom detection rule from this query? If so you would set the threshold in the Groupby section like this
1 Like
Excellent! Thanks. I now understand how that function is used.
Much Appreciated!