Splunk Search

What Search can monitor Password Changed not by Automation?

Eyal
Path Finder

Hi Splunk Community,

I need a Splunk Query that monitors a password change in the DC log source that was not performed by the user from log source X (DC);

Rather to be performed by an automation of the system itself log source Y (Automated Password System).

I want to trigger the search only in case the password change event was received and from that point to search 10 minutes back to see if the trigger was the system itself or an actual user.

Can you please assist 🙂

Labels (1)
0 Karma

Eyal
Path Finder

Hi PickleRick (Very Nice Name),

I see what you mean let me check this and will update ASAP if it worked 🙂

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Before we dig deeper into the search itself, question is whether the same search run later on earlier data works properly. If it does even though on the initial run it gave you a false positive, it would mean that your data flow is inconsistent and your events are delayed.

I do suspect there is something wrong with quality of your data and/or data flow because you're searching into the future (earliest=-10m latest=+4m)

Eyal
Path Finder

Hi, 

I have tuned my question maybe you can help? 🙂

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Actually, it's not a question about _how_ to search in Splunk but rather _what_ to search for.

And here you need a windows guy who will tell you what kind of events you need in the first place.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...