Currently using Security Analytics 10.4
I'm running a daily report on password changes by non-owner, i.e., user changes a different user's password.
The predicate clause is:
alert.id = 'account:modified' && category = 'user account management' && device.type = 'winevent_nic' && user.src != user.dst
However, the last predicate doesn't do anything to remove accounts where user.src & user.dst are identical. There are still a large number of rows (almost all of them) where the user is changing their own password.
Anyone have any insight here? I've got a decent background in SQL and query syntax, but using the reporting engine makes me want to scream most days.
Message was edited by: nolsen311 -- trying to use code snippet markup --