Building for the Splunk Platform

Find out who changed an AD account password?

New Member

I found the pwsLastSet field which tells me when a password was actually reset but I'm trying to see who actually reset the password. Is that possible in either the MS Windows AD Objects app or the Splunk App for Windows Infrastructure?

Tags (1)
0 Karma

Path Finder

Have you tried something like this...

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1) 
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename  user as "Password Changed for account", admin as "Changed By"

New Member


i am new to splunk so sorry if this question is basic.

i would like to user the search info below.  just not sure where to input the username i want to search or the domain to search in

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...