Solved: Re: help on a query - password changed on first lo...

rsaude · ‎02-05-2020

Hey everyone,

Im trying to come up with a way to get a table stating that, a user was created in splunk had the "Require password change on first login" box checked,

is there any way to get that information?

Thanks in advanced

begleyj1 · ‎02-05-2020

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

View solution in original post

begleyj1 · ‎02-05-2020

See if you have the following fields in your audit index:

index=audit action=create_user

You should see within the raw log the passwordState field and the value should be along the lines of force password change. You can just rex that field out with this

| rex field=_raw "passwordState=(?<passwordState>[^\s]+)"

Then all you need to do from there is just table the fields:

| table _time, index, action, passwordState, *

rsaude · ‎02-06-2020

THANK YOUUUUUU, you just made worth my 4 hours looking for it

rsaude · ‎02-06-2020

PS: the index is _audit not just audit

help on a query - password changed on first login on splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases