I need to create a search that determines if an admin users password is changed. The current search pulls the domain admins group and checks for windows event codes designating if a password is changed. However it's telling us if an admin changes someone else's password and not if an admin's password is changed only.
How do I create a search to limit the search to only admins and only if THEIR password is changed?
Hi
probably you could check it with CIM data models? Just deploy it to your system and ensure that your data collection is CIM compliant. Then you probably could use Change DM https://docs.splunk.com/Documentation/CIM/5.1.1/User/Change ?
r. Ismo
Splunk is just a tool. You need to show your data (anonymize as necessary) including the makeup of the lookup, and explain what logic do YOU use to tell when an admin changed their own password based on that set of data.
This is my current search query:
index=wineventlog EventCode=4724 OR EventCode=4723 ([| inputlookup AD_Obj_User WHERE domain="mydomain" AND [| inputlookup AD_Obj_Group WHERE dn="cn=domain admins,cn=users,dc="mydomain",dc=com" | fields member | rename member as dn | table dn | format]
| fields sAMAccountName
| stats values(sAMAccountName) AS search
| table search
| format])
| fields _time,host,src_user, user, sourcetype, EventCode, signature, _raw
| stats count AS Total_Events,max(_time) as Last_Time BY EventCode, signature, src_user, user
| search ([| inputlookup AD_Obj_User WHERE domain="mydomain" AND [| inputlookup AD_Obj_Group WHERE dn="cn=domain admins,cn=users,dc="mydomain",dc=com" | fields member | rename member as dn | table dn | format]
| fields sAMAccountName
| stats values(sAMAccountName) AS user
| table user
| format])
| eval Last_Time=strftime(Last_Time, "%m/%d/%y %I:%M:%S %P")