Windows User Account Activity Change Password (via Splunk)

info Nessus Network Monitor Plugin ID 710004

Synopsis

SIEM Pull Service has detected via Splunk query that, on this Windows system, a user changed password.

Description

SIEM Pull Service has detected via Splunk query that, on this Windows system, a user changed password. The query used was (sourcetype="WinEventLog:Security" AND "Message=A user account was changed.") | regex "(Password\sLast\sSet:\s+\d+\/\d+\/\d+\s\d+\:\d+\:\d+\s)(AM|PM)"

Solution

N/A

Plugin Details

Severity: Info

ID: 710004

Family: Policy

Published: 8/20/2004

Updated: 5/18/2018

Detections

Analytics