AnsweredAssumed Answered

Password change by Non-Owner Query

Question asked by Nathan Olsen on Jul 29, 2015
Latest reply on Aug 20, 2015 by Nathan Olsen

Currently using Security Analytics 10.4

I'm running a daily report on password changes by non-owner, i.e., user changes a different user's password.


The predicate clause is: = 'account:modified' && category = 'user account management' && device.type = 'winevent_nic' && user.src != user.dst


However, the last predicate doesn't do anything to remove accounts where user.src & user.dst are identical. There are still a large number of rows (almost all of them) where the user is changing their own password.


Anyone have any insight here? I've got a decent background in SQL and query syntax, but using the reporting engine makes me want to scream most days.


Message was edited by: nolsen311 -- trying to use code snippet markup --