IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

How to find who has reset my domain password. Is there a QID

  • 1.  How to find who has reset my domain password. Is there a QID

    Posted Thu November 12, 2020 07:35 PM

    The Windows Team resets the password for a users domain login.Is there a was we can pull up the record from the logs who was the Windows Admin who has reset the password for the user. Is there a QID or some query that can be run to find this event specific to user password reset for AD



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: How to find who has reset my domain password. Is there a QID

    Posted Wed December 02, 2020 08:58 PM

    I think the Windows Event ID 4724 was the one indicating a privileged user changing a password for someone. If the auditing was set correctly on the source (Audit account management), QRadar sould have it recognized and the payload and normalized fileds should show the username doing the change and the target username (In our lab -> Event: Success Audit: An attempt was made to reset an account's password; Category: Password Change Succeeded; QID: 5000895)



    #QRadar
    #Support
    #SupportMigration