Hello everyone,
My environment has a splunk server configured and im trying to find LOGS of viewed password to generate alerts.
I can find when the solicitation was made and approved but i can't find when the user see's the password.
Request Send Splunk log.
<Metric>
<type>viewAccountPassword</type>
<level>1</level>
<description>
<hashmap>
<k>commandInitiator</k>
<v>USER</v>
<k>adminUserID</k>
<v>USERXXXXXXX</v>
<k>reason</k>
<v>Severity 1: Manual recovery from server outage</v>
<k>Attribute.descriptor2</k>
<v />
<k>Attribute.descriptor1</k>
<v />
<k>reasonDetails</k>
<v>wq</v>
<k>password</k>
<v />
<k>TargetAccount.accessType</k>
<v />
<k>adminPassword</k>
<v />
<k>selectedComponent</k>
<v>0</v>
<k>PasswordViewRequest.comments</k>
<v>a</v>
<k>TargetAccount.ID</k>
<v>012345</v>
<k>TargetApplication.name</k>
<v>APPLICATION ANME</v>
<k>TargetServer.hostName</k>
<v>HOST NAME</v>
<k>GKCallback.gkrequest</k>
<v>true</v>
<k>referenceCode</k>
<v>a</v>
<k>PasswordViewRequest.requestPeriodStart</k>
<v>2021-08-31 19:37:00</v>
<k>PasswordViewRequest.requestPeriodEnd</k>
<v>2021-08-31 20:37:00</v>
<k>TargetAccount.userName</k>
<v>targetaccount</v>
</hashmap>
</description>
<errorCode>4625</errorCode>
<userID>USERUSER</userID>
<success>false</success>
<originatingIPAddress />
<originatingHostName />
<extensionType />
</Metric>
Request Approved Splunk log.
<?xml version="1.0" encoding="UTF-8"?>
<Metric>
<type>viewAccountPassword</type>
<level>1</level>
<description>
<hashmap>
<k>commandInitiator</k>
<v>USER</v>
<k>adminUserID</k>
<v>USERXXXX</v>
<k>reason</k>
<v>Other</v>
<k>Attribute.descriptor2</k>
<v />
<k>Attribute.descriptor1</k>
<v />
<k>cmdName</k>
<v>viewAccountPassword</v>
<k>reasonDetails</k>
<v>Not required</v>
<k>password</k>
<v />
<k>ExclusivePasswordViewRequest.machineId</k>
<v>DASDASDSADAS/v>
<k>TargetAccount.accessType</k>
<v />
<k>adminPassword</k>
<v />
<k>authentication</k>
<v>CSPM</v>
<k>TargetAccount.ID</k>
<v>ASDSADAS</v>
<k>TargetApplication.name</k>
<v>ApplicationName/v>
<k>PasswordViewRequest.ssoType</k>
<v>Any</v>
<k>TargetServer.hostName</k>
<v>hostName</v>
<k>GKCallback.gkrequest</k>
<v>true</v>
<k>TargetAccount.userName</k>
<v>account</v>
</hashmap>
</description>
<errorCode>0</errorCode>
<userID>useruseruser</userID>
<success>true</success>
<originatingIPAddress>000.000.000.000</originatingIPAddress>
<originatingHostName>localhost</originatingHostName>
<extensionType />
</Metric>
You guys have some sample of log when the user see's the passwd?
Thank you all.