On 08.08.2012 06:29, Dmitry wrote:
Hi!
In Windows Log event that says about changing password looks like:
_WinEvtLog: Security: AUDIT_SUCCESS(4738):
Microsoft-Windows-Security-Auditing: (no user): no domain:
SRV-DC.ft.local: A user account was changed. Subject: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg
Account Domain: FL Logon ID: 0x1204753c Target Account: Security ID:
S-1-5-21-3227760434-1372198118-1359596449-1269 Account Name: DP
Account Domain: FL Changed Attributes: SAM Account Name: - Display
Name: - User Principal Name: - Home Directory: - Home Drive: - Script
Path: - Profile Path: - User Workstations: - PASSWORD LAST SET:
8/8/2012 2:42:44 PM Account Expires: - Primary Group ID: -
AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account
Control: - User Parameters: - SID History: - Logon Hours: -
Additional
Information: Privileges: -_
Be careful with event ID 4738 (and its cousin 642 in 2k3). This gets
logged for all kinds of things, including new account creations,
expiration time changes, the account being disabled, etc. Windows
usually logs another corresponding event for password changes and other
activities. In addition, many attributes can change in one alert or only
one attribute, making your rule less precise. We'll probably set the
user account changed rule to not alert in the future, while focusing on
the accompanying event ID which has more meaning. It's just too noisy to
be effective.
