Splunk Dev

Find out who changed an AD account password?

New Member

I found the pwsLastSet field which tells me when a password was actually reset but I'm trying to see who actually reset the password. Is that possible in either the MS Windows AD Objects app or the Splunk App for Windows Infrastructure?

Tags (1)
0 Karma

Path Finder

Have you tried something like this...

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4724
| fields EventCode, Account_Name, Account_Domain
| eval admin_Account_Name=mvindex(Account_Name,0), admin_Account_Domain=mvindex(Account_Domain,0)
| eval user_Account_Name=mvindex(Account_Name,1), user_Account_Domain=mvindex(Account_Domain,1) 
| eval user = user_Account_Domain. " \\ ". user_Account_Name
| eval admin = admin_Account_Domain. " \\ ". admin_Account_Name
| table _time, user, admin
| sort -time
| rename  user as "Password Changed for account", admin as "Changed By"

New Member


i am new to splunk so sorry if this question is basic.

i would like to user the search info below.  just not sure where to input the username i want to search or the domain to search in

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...