I'm trying to set up a search for when a user disables their 2FA vs when IT disables it for them.
I have the User Account and the Actor account.
index=auth sourcetype=auth mfa* (actor.displayName="*") legacyEventType="core.user.factor.deactivate"
|stats count by "actor.displayName", "target{}.displayName", "displayMessage", _time
|rename "actor.displayName" AS "Changed by","target{}.displayName" AS "Account Changed", displayMessage as "Action"
Results look like
Changed by Account Changed Action _time count
Bob Johnson Mike Smith Reset factor for user 2018-10-09 15:16:19.880 1
Kelly Short Kelly Short Reset factor for user 2018-10-09 02:45:08.536 1
I'm trying to compare if the "Changed by" and "Account Changed" matched, and return just those results. And then, eval if it doesn't like to compare values and match() asks to compare a field to a regex.
Does anyone have any idea how to compare 2 field values from the same search?
... View more