Security

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?

vin02
Path Finder

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?
after password reset, how can i get failed attempt.

Labels (1)
Tags (2)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user
Happy Splunking!

View solution in original post

0 Karma

PowerPacked
Builder

Hi @vin02

You can find info about password change in,

index=_audit user=username "action=password change"

alt text

& after password change, you can see info about login in

index=_audit user=username action="login attempt" info=succeeded

Thanks

vinitpathri
Path Finder

last command is correct with just a small correction

instead of
index=_audit user=username "action=password change"
it should be
index=_audit user=username action="password change"

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user
Happy Splunking!
0 Karma

vin02
Path Finder

first need to check for password change then successful login with new password

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@vin02,

Sample SPL with the data, you can adjust according to your requirement

index=_audit (action="password change" OR action="login attempt")|table _time,user,action,info|sort - _time
|streamstats current=f last(action) as next_action,last(info) as next_info  by user
|eval status=if(action=="password change" AND info="succeeded" AND next_action="login attempt" AND next_info=="succeeded","OK","NOK")
|where action=="password change"
Happy Splunking!
0 Karma

vin02
Path Finder

thanks @renjith.nair

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@vin02, if it worked for you, please accept as answer

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...