Security

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?

Path Finder

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?
after password reset, how can i get failed attempt.

Labels (1)
Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user

View solution in original post

0 Karma

Builder

Hi @vin02

You can find info about password change in,

index=_audit user=username "action=password change"

alt text

& after password change, you can see info about login in

index=_audit user=username action="login attempt" info=succeeded

Thanks

Path Finder

last command is correct with just a small correction

instead of
index=_audit user=username "action=password change"
it should be
index=_audit user=username action="password change"

0 Karma

SplunkTrust
SplunkTrust

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user

View solution in original post

0 Karma

Path Finder

first need to check for password change then successful login with new password

0 Karma

SplunkTrust
SplunkTrust

@vin02,

Sample SPL with the data, you can adjust according to your requirement

index=_audit (action="password change" OR action="login attempt")|table _time,user,action,info|sort - _time
|streamstats current=f last(action) as next_action,last(info) as next_info  by user
|eval status=if(action=="password change" AND info="succeeded" AND next_action="login attempt" AND next_info=="succeeded","OK","NOK")
|where action=="password change"
0 Karma

Path Finder

thanks @renjith.nair

0 Karma

SplunkTrust
SplunkTrust

@vin02, if it worked for you, please accept as answer

0 Karma