Hi All,
I need to create a Use Case that would detect Admin user/s changing their own password.
So far I have:
index=XXX EventCode=4724
| where user=src_user AND src_user_category="privileged" AND user_category="privileged"
not sure how to go around as this is not doing the search I want.
Any help much appreciated!
Thanks all
Please explain what is meant by "not doing the search I want". What do you want and what do you get?
My WinEventLog doesn't have the user_category and src_user_category fields. Are you sure yours does? In the past, I've had to detect admin accounts based on a naming convention. For example:
index=wineventlog EventCode=4724 user!="*$" user="adm_*"
| where user=src_user