Security

Password Reset Command for Splunk

keldridg2
New Member

Can somebody show me a Splunk command on how to find a number of password resets and how I can display the total number of password resets to that user?

0 Karma
1 Solution

Sukisen1981
Champion

something like this - ? index=_audit "action=password change"

View solution in original post

0 Karma

keldridg2
New Member

index=main host=* source=* sourcetype=* password reset Account_Name=* | top limit=10 Account_Name

0 Karma

keldridg2
New Member

This is what I am referring to.

0 Karma

Sukisen1981
Champion

hi @keldridg2 - As much as I like earning karma points 🙂 🙂 , I can not see how my answer helps for your question.
Your sourcetype is custom and it looks like neither my suggestion nor @richgalloway 's suggestion is related to your requirement.
Please un-accept my answer, as I feel it has not contributed significantly to your issue.

0 Karma

keldridg2
New Member

Sorry you do not feel like you contributed but your answer will help me with future uses as I been trying to research how to do a reset command but could only find ways how to reset Splunk password. It was difficult with wording what my idea is with index=main but do feel like your answer does help me out if a users decides to change their Splunk password.

0 Karma

Sukisen1981
Champion

no worries 🙂 thanks for your time, do hope your issue is solved .. have a nice day / night ahead 🙂 🙂

0 Karma

keldridg2
New Member

I will accept your answer and give you the points as I do feel like you help many people probably with this issue.

0 Karma

Sukisen1981
Champion

something like this - ? index=_audit "action=password change"

0 Karma

keldridg2
New Member

Thanks for the help.

0 Karma

Sukisen1981
Champion

hi @keldridg2 - Did it work or did you have to do something different?
If this worked I will convert the comment into an answer, please accept it after the same.
If it did not and you did something else to resolve the issue please share your answer.
Both ways will benefit forum members who might face a similar issue in the future

0 Karma

keldridg2
New Member

I founded that we do have the index=_audit but am wondering if it was index=main then how would I find the password change then.

0 Karma

Sukisen1981
Champion

hi @keldridg2 - The _audit index, as the name suggests contains ALL(well, as much as splunk default audit info goes) audit information irrespective of the number of indexes you have, you log into splunk and not to an individual index.
Are we on the same page or is your need something different?
See for example how the above query captures password change info of splunk overall and NOT for any specific index.
Am I misunderstanding your question?
4/7/19
5:25:39.835 PM

Audit:[timestamp=04-07-2019 17:25:39.835, user=admin, action=password change, info=succeeded][n/a]
action = password change host = vvvvv source = audittrail sourcetype = audittrail user = admin

0 Karma

keldridg2
New Member

No this is what I am looking for. Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The answer by @Sukisen1981 is a good one, but only applies to changes users make to their Splunk passwords. To find other password changes in your environment, you will have to know how those changes are reported to Splunk, if at all. They could be in a Windows event, a Linux audit record, or some application log. We'll need more information to help you better.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...