Sentinel newbie here looking for some detail on the field name Initiator
User Domain. Typically this field matches our domain name, but
occasionally on 4771 kerberos pre-auth failed events the field equals
"changepw". I am assuming this corresponds to a locked out account
given the event, but I am not 100% sure. Coming from an SM environment,
I am not familiar with this behavior and did not see any documentation
on this. Not surprising given the rather unambiguous field name.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=48564