You see the rule 18111 is "A user account was changed" In the part of log "Changed Attributes" there are all the names of attributes and there is only one value of changed attribute. So in any alert of rule 18111 there is the name of attribute "Password Last Set"
So the only way to determine the change of password is to look for a digit after "Password Last Set: ". In other case there will be "-" On Wednesday, August 8, 2012 4:28:10 PM UTC+4, dan (ddpbsd) wrote: > > On Wed, Aug 8, 2012 at 7:29 AM, Dmitry <[email protected] <javascript:>> > wrote: > > Hi! > > > > In Windows Log event that says about changing password looks like: > > > > WinEvtLog: Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > SRV-DC.ft.local: > > A user account was changed. Subject: Security ID: > > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account > > Domain: FL Logon ID: 0x1204753c Target Account: Security ID: > > S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP Account > > Domain: FL Changed Attributes: SAM Account Name: - Display Name: - User > > Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile > > Path: - User Workstations: - Password Last Set: 8/8/2012 2:42:44 PM > Account > > Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - > New > > UAC Value: - User Account Control: - User Parameters: - SID History: - > Logon > > Hours: - Additional Information: Privileges: - > > > > This log triggered alert of rule 18111 (Windows account changed). > > > > In order to have separate rule "Password changed" I wrote rule: > > > > <!-- Password changed for Windows Account --> > > <rule id="100003" level="7"> > > <if_sid>18111</if_sid> > > <regex>Password Last Set: \d </regex> > > <description>Password changed for Windows account</description> > > </rule> > > > > Dut it doesn't work. When I use <match> instead of <regex> it doesn't > help. > > > > > > This works fine for me: > > <rule id="100089" level="7"> > <if_sid>18111</if_sid> > <match>Password Last Set:</match> > <description>blahblah</description> > </rule> >
