Splunk Dev

Find out who changed an AD account password?

rodiers01
New Member

I found the pwsLastSet field which tells me when a password was actually reset but I'm trying to see who actually reset the password. Is that possible in either the MS Windows AD Objects app or the Splunk App for Windows Infrastructure?

Tags (1)
0 Karma

rbreton
Path Finder

Have you tried something like this...

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1) 
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename  user as "Password Changed for account", admin as "Changed By"

phoenix143
New Member

hello

i am new to splunk so sorry if this question is basic.

i would like to user the search info below.  just not sure where to input the username i want to search or the domain to search in

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...