cancel
Showing results for 
Search instead for 
Did you mean: 

Nitro Alert and Report Needed - User Password Changed by Non-Owner

I would like to build a Windows based Alert and Report which shows password changes by someone other than the account owner. The Event ID in-scope is:

  • 4723: An attempt was made to change an account's password

Windows logs record the account performing the password change as the Subject Account Name which Nitro parses to the Source User field, and records the account receiving the password change as the Target Account Name which Nitro parses to the Destination User field.

The Alert and Report must have the following filtering criteria:

SignatureID = 43-263047230

AND

Source User != Destination User

How do I accomplish the filtering criteria: Source User != Destination User

2 Replies

Re: Nitro Alert and Report Needed - User Password Changed by Non-Owner

That can be achieved with correlation rule.

Within the filter for Source User there is option "not In" which can do the job for you try and let me know i'll be glad to help you.

Capture.PNG

Re: Nitro Alert and Report Needed - User Password Changed by Non-Owner

Im in the same boat here... I dont see any way to use another field as a value. The match component only lets you set a variable, string value, watch list, etc..