Monitoring Splunk

How to create use case that would detect when admin password modified/changed?

DanAlexander
Communicator

Hi All,

I need to create a Use Case that would detect Admin user/s changing their own password.

So far I have:

index=XXX EventCode=4724

| where user=src_user AND src_user_category="privileged" AND  user_category="privileged"

not sure how to go around as this is not doing the search I want.

Any help much appreciated!

Thanks all

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please explain what is meant by "not doing the search I want".  What do you want and what do you get?

My WinEventLog doesn't have the user_category and src_user_category fields.  Are you sure yours does?  In the past, I've had to detect admin accounts based on a naming convention.  For example:

index=wineventlog EventCode=4724 user!="*$" user="adm_*"
| where user=src_user

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...