AnsweredAssumed Answered

Password change by Non-Owner Query

Question asked by Nathan Olsen on Jul 29, 2015
Latest reply on Aug 20, 2015 by Nathan Olsen

Currently using Security Analytics 10.4

I'm running a daily report on password changes by non-owner, i.e., user changes a different user's password.

 

The predicate clause is:

 

alert.id = 'account:modified' && category = 'user account management' && device.type = 'winevent_nic' && user.src != user.dst

 

However, the last predicate doesn't do anything to remove accounts where user.src & user.dst are identical. There are still a large number of rows (almost all of them) where the user is changing their own password.

 

Anyone have any insight here? I've got a decent background in SQL and query syntax, but using the reporting engine makes me want to scream most days.

 

Message was edited by: nolsen311 -- trying to use code snippet markup --

Outcomes