I have the standard correlation rule active "Multiple password changes
for one account over a short period of time":

filter(((e.xdasclass = 0) AND (e.xdasid = 6) AND (e.xdasoutcome =
0)))flow trigger(5,86400,discriminator(e.dun,e.rv45))

I have one SLES12 SP3 server that is running the NetIQ Security Agent
for Unix 7.5.1.

Since the change to winter time 2017-10-29, the correlation rule has
been triggering regularly.

Its this server that has this agent installed that is the source.

The event message is:
op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=?
terminal=cron res=success

InitiatorServiceName is NQ-Agent-SUSE-auditd
The EventName is PAM:setcred event

Any ideas on how to troubleshoot this?