sentinel 7.0.3 comes with several corelation rules. one of them is "A
Domain/Directory user's password has been changed by another user"


I applied/deploy this correlation rule, and as an Administrator changed
the password of an user in MS AD. Sentinel got/received the event from
the event source(domain Controller)and hitting the search button shows:


*A user account was changed*. (Operating System: Microsoft Active
Directory and Windows)
Account Management > Modify > Success
Message: A user account was changed. Subject: Security ID:
S-1-5-21-2047268717-1715346865-3493053259-500 Account Name: SuperCoach
Account Domain: DC Logon ID: 0x2ab99c Target Account ...

*An attempt was made to reset an account's password*. (Operating System:
Microsoft Active Directory and Windows)
Account Management > Set Credential > Success
Message: An attempt was made to reset an account's password. Subject:
Security ID: S-1-5-21-2047268717-1715346865-3493053259-500 Account

but the correlation rule never fired.

Am I missing some thing ?


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=46903