https://community.splunk.com/t5/Security/auditing-password-changes/m-p/197084#M5764 <P>If your context is Splunk's internal authentication system, then yes. Password changes produce an entry in the _audit index:</P> <PRE><CODE>index=_audit "action=password change" </CODE></PRE> <P>Will show you the relevant log entries.</P> <P>If you are using an external authentication mechanism (AD/LDAP), you will probably need to go to the source. But I am not sure about that one.</P> Thu, 12 Jun 2014 19:33:49 GMT s2_splunk 2014-06-12T19:33:49Z https://community.splunk.com/t5/Security/auditing-password-changes/m-p/197083#M5763 <P>Hi,</P> <P>Is there any record of when a password is changed for user accounts? I need to audit it for a security request. </P> Thu, 12 Jun 2014 10:29:41 GMT https://community.splunk.com/t5/Security/auditing-password-changes/m-p/197083#M5763 a212830 2014-06-12T10:29:41Z https://community.splunk.com/t5/Security/auditing-password-changes/m-p/197084#M5764 <P>If your context is Splunk's internal authentication system, then yes. Password changes produce an entry in the _audit index:</P> <PRE><CODE>index=_audit "action=password change" </CODE></PRE> <P>Will show you the relevant log entries.</P> <P>If you are using an external authentication mechanism (AD/LDAP), you will probably need to go to the source. But I am not sure about that one.</P> Thu, 12 Jun 2014 19:33:49 GMT https://community.splunk.com/t5/Security/auditing-password-changes/m-p/197084#M5764 s2_splunk 2014-06-12T19:33:49Z