Solved: help on a query - password changed on first login ...

rsaude · ‎02-05-2020

Hey everyone,

Im trying to come up with a way to get a table stating that, a user was created in splunk had the "Require password change on first login" box checked,

is there any way to get that information?

Thanks in advanced

begleyj1 · ‎02-05-2020

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

View solution in original post

begleyj1 · ‎02-05-2020

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

rsaude · ‎02-06-2020

THANK YOUUUUUU, you just made worth my 4 hours looking for it

rsaude · ‎02-06-2020

PS: the index is _audit not just audit

help on a query - password changed on first login on splunk

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

help on a query - password changed on first login on splunk

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR