Building for the Splunk Platform

Find out who changed an AD account password?

New Member

I found the pwsLastSet field which tells me when a password was actually reset but I'm trying to see who actually reset the password. Is that possible in either the MS Windows AD Objects app or the Splunk App for Windows Infrastructure?

Tags (1)
0 Karma

Path Finder

Have you tried something like this...

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1) 
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename  user as "Password Changed for account", admin as "Changed By"

New Member


i am new to splunk so sorry if this question is basic.

i would like to user the search info below.  just not sure where to input the username i want to search or the domain to search in

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...