On Wed, Aug 8, 2012 at 7:29 AM, Dmitry <[email protected]> wrote: > Hi! > > In Windows Log event that says about changing password looks like: > > WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): no domain: SRV-DC.ft.local: > A user account was changed. Subject: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account > Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP Account > Domain: FL Changed Attributes: SAM Account Name: - Display Name: - User > Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile > Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM Account > Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New > UAC Value: - User Account Control: - User Parameters: - SID History: - Logon > Hours: - Additional Information: Privileges: - > > This log triggered alert of rule 18111 (Windows account changed). > > In order to have separate rule "Password changed" I wrote rule: > > <!-- Password changed for Windows Account --> > <rule id="100003" level="7"> > <if_sid>18111</if_sid> > <regex>Password Last Set: \d </regex> > <description>Password changed for Windows account</description> > </rule> > > Dut it doesn't work. When I use <match> instead of <regex> it doesn't help. > >
This works fine for me: <rule id="100089" level="7"> <if_sid>18111</if_sid> <match>Password Last Set:</match> <description>blahblah</description> </rule>
