<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to create use case that would detect when Admin Password Modified/Changed? in Monitoring Splunk</title>
    <link>https://community.splunk.com/t5/Monitoring-Splunk/How-to-create-use-case-that-would-detect-when-admin-password/m-p/601414#M8978</link>
    <description>&lt;P&gt;Please explain what is meant by "not doing the search I want".&amp;nbsp; What do you want and what do you get?&lt;/P&gt;&lt;P&gt;My WinEventLog doesn't have the user_category and src_user_category fields.&amp;nbsp; Are you sure yours does?&amp;nbsp; In the past, I've had to detect admin accounts based on a naming convention.&amp;nbsp; For example:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=wineventlog EventCode=4724 user!="*$" user="adm_*"
| where user=src_user&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Fri, 10 Jun 2022 19:35:34 GMT</pubDate>
    <dc:creator>richgalloway</dc:creator>
    <dc:date>2022-06-10T19:35:34Z</dc:date>
    <item>
      <title>How to create use case that would detect when admin password modified/changed?</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/How-to-create-use-case-that-would-detect-when-admin-password/m-p/600997#M8975</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;
&lt;P&gt;I need to create a Use Case that would detect Admin user/s changing their own password.&lt;/P&gt;
&lt;P&gt;So far I have:&lt;/P&gt;
&lt;P&gt;index=XXX EventCode=4724&lt;/P&gt;
&lt;P&gt;| where user=src_user AND src_user_category="privileged" AND&amp;nbsp; user_category="privileged"&lt;/P&gt;
&lt;P&gt;not sure how to go around as this is not doing the search I want.&lt;/P&gt;
&lt;P&gt;Any help much appreciated!&lt;/P&gt;
&lt;P&gt;Thanks all&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jun 2022 19:55:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/How-to-create-use-case-that-would-detect-when-admin-password/m-p/600997#M8975</guid>
      <dc:creator>DanAlexander</dc:creator>
      <dc:date>2022-06-10T19:55:49Z</dc:date>
    </item>
    <item>
      <title>Re: How to create use case that would detect when Admin Password Modified/Changed?</title>
      <link>https://community.splunk.com/t5/Monitoring-Splunk/How-to-create-use-case-that-would-detect-when-admin-password/m-p/601414#M8978</link>
      <description>&lt;P&gt;Please explain what is meant by "not doing the search I want".&amp;nbsp; What do you want and what do you get?&lt;/P&gt;&lt;P&gt;My WinEventLog doesn't have the user_category and src_user_category fields.&amp;nbsp; Are you sure yours does?&amp;nbsp; In the past, I've had to detect admin accounts based on a naming convention.&amp;nbsp; For example:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=wineventlog EventCode=4724 user!="*$" user="adm_*"
| where user=src_user&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 10 Jun 2022 19:35:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Monitoring-Splunk/How-to-create-use-case-that-would-detect-when-admin-password/m-p/601414#M8978</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2022-06-10T19:35:34Z</dc:date>
    </item>
  </channel>
</rss>

