Hi! In Windows Log event that says about changing password looks like:
*WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user): no domain: SRV-DC.ft.local: A user account was changed. Subject: Security ID: S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID: S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP Account Domain: FL Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -* * * This log triggered alert of rule 18111 (Windows account changed).* * In order to have separate rule "Password changed" I wrote rule: *<!-- Password changed for Windows Account -->* * <rule id="100003" level="7">* * <if_sid>18111</if_sid>* * <regex>Password Last Set: \d </regex>* * <description>Password changed for Windows account</description>* * </rule>** * * * Dut it doesn't work. When I use <match> instead of <regex> it doesn't help.* *
