Security

auditing password changes

a212830
Champion

Hi,

Is there any record of when a password is changed for user accounts? I need to audit it for a security request.

Tags (3)

s2_splunk
Splunk Employee
Splunk Employee

If your context is Splunk's internal authentication system, then yes. Password changes produce an entry in the _audit index:

index=_audit "action=password change"

Will show you the relevant log entries.

If you are using an external authentication mechanism (AD/LDAP), you will probably need to go to the source. But I am not sure about that one.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...