From OSSEC Wiki

Additional rules

This is the place to store rules that are not meant for the official release, because they are specific to an environment or customized to an internal application.

Windows: Rule to alert on password changes by another user

This rule will trigger if the Caller user name is different from the target user name on Windows.

 <rule id="100155" level="10">
   <if_sid>18111</if_sid>
   <compiled_rule>comp_mswin_targetuser_calleruser_diff</compiled_rule>
   <description>User changed someone else password.</description>
 </rule>