You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”.
It is important to note whether this attribute is mapped in ECS to the mentioned events or other events related to user management. If not, you can find this attribute by reading all the information in the message field.
I also recommend taking a look at this topic to see if it helps: