topic Re: Password Reset Command for Splunk in Security

Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 16:15:58 GMT

Can somebody show me a Splunk command on how to find a number of password resets and how I can display the total number of password resets to that user?

Re: Password Reset Command for Splunk

Sukisen1981 — Wed, 14 Aug 2019 16:26:34 GMT

something like this - ? index=_audit "action=password change"

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 16:41:26 GMT

Thanks for the help.

Re: Password Reset Command for Splunk

Sukisen1981 — Wed, 14 Aug 2019 16:45:06 GMT

hi @keldridg2 - Did it work or did you have to do something different?
If this worked I will convert the comment into an answer, please accept it after the same.
If it did not and you did something else to resolve the issue please share your answer.
Both ways will benefit forum members who might face a similar issue in the future

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 16:50:59 GMT

I founded that we do have the index=_audit but am wondering if it was index=main then how would I find the password change then.

Re: Password Reset Command for Splunk

Sukisen1981 — Wed, 14 Aug 2019 17:18:49 GMT

hi @keldridg2 - The _audit index, as the name suggests contains ALL(well, as much as splunk default audit info goes) audit information irrespective of the number of indexes you have, you log into splunk and not to an individual index.
Are we on the same page or is your need something different?
See for example how the above query captures password change info of splunk overall and NOT for any specific index.
Am I misunderstanding your question?
4/7/19
5:25:39.835 PM

Audit:[timestamp=04-07-2019 17:25:39.835, user=admin, action=password change, info=succeeded][n/a]
action = password change host = vvvvv source = audittrail sourcetype = audittrail user = admin

Re: Password Reset Command for Splunk

richgalloway — Wed, 14 Aug 2019 17:23:11 GMT

The answer by @Sukisen1981 is a good one, but only applies to changes users make to their Splunk passwords. To find other password changes in your environment, you will have to know how those changes are reported to Splunk, if at all. They could be in a Windows event, a Linux audit record, or some application log. We'll need more information to help you better.

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 17:24:32 GMT

No this is what I am looking for. Thanks.

Re: Password Reset Command for Splunk

keldridg2 — Wed, 30 Sep 2020 01:46:20 GMT

index=main host=* source=* sourcetype=* password reset Account_Name=* | top limit=10 Account_Name

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 17:45:45 GMT

This is what I am referring to.

Re: Password Reset Command for Splunk

Sukisen1981 — Wed, 14 Aug 2019 18:13:33 GMT

hi @keldridg2 - As much as I like earning karma points 🙂 🙂 , I can not see how my answer helps for your question.
Your sourcetype is custom and it looks like neither my suggestion nor @richgalloway 's suggestion is related to your requirement.
Please un-accept my answer, as I feel it has not contributed significantly to your issue.

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 19:10:51 GMT

Sorry you do not feel like you contributed but your answer will help me with future uses as I been trying to research how to do a reset command but could only find ways how to reset Splunk password. It was difficult with wording what my idea is with index=main but do feel like your answer does help me out if a users decides to change their Splunk password.

Re: Password Reset Command for Splunk

Sukisen1981 — Wed, 14 Aug 2019 19:14:39 GMT

no worries 🙂 thanks for your time, do hope your issue is solved .. have a nice day / night ahead 🙂 🙂

Re: Password Reset Command for Splunk

keldridg2 — Wed, 14 Aug 2019 19:19:14 GMT

I will accept your answer and give you the points as I do feel like you help many people probably with this issue.