Symantec Privileged Access Management

 View Only
  • 1.  Splunk LOG'S

    Posted Sep 20, 2021 02:25 PM
    Hello everyone,

    My environment has a splunk server configured and im trying to find LOGS of viewed password to generate alerts.

    I can find when the solicitation was made and approved but i can't find when the user see's the password. 

    Request Send Splunk log.

    <Metric>
       <type>viewAccountPassword</type>
       <level>1</level>
       <description>
          <hashmap>
             <k>commandInitiator</k>
             <v>USER</v>
             <k>adminUserID</k>
             <v>USERXXXXXXX</v>
             <k>reason</k>
             <v>Severity 1: Manual recovery from server outage</v>
             <k>Attribute.descriptor2</k>
             <v />
             <k>Attribute.descriptor1</k>
             <v />
             <k>reasonDetails</k>
             <v>wq</v>
             <k>password</k>
             <v />
             <k>TargetAccount.accessType</k>
             <v />
             <k>adminPassword</k>
             <v />
             <k>selectedComponent</k>
             <v>0</v>
             <k>PasswordViewRequest.comments</k>
             <v>a</v>
             <k>TargetAccount.ID</k>
             <v>012345</v>
             <k>TargetApplication.name</k>
             <v>APPLICATION ANME</v>
             <k>TargetServer.hostName</k>
             <v>HOST NAME</v>
             <k>GKCallback.gkrequest</k>
             <v>true</v>
             <k>referenceCode</k>
             <v>a</v>
             <k>PasswordViewRequest.requestPeriodStart</k>
             <v>2021-08-31 19:37:00</v>
             <k>PasswordViewRequest.requestPeriodEnd</k>
             <v>2021-08-31 20:37:00</v>
             <k>TargetAccount.userName</k>
             <v>targetaccount</v>
          </hashmap>
       </description>
       <errorCode>4625</errorCode>
       <userID>USERUSER</userID>
       <success>false</success>
       <originatingIPAddress />
       <originatingHostName />
       <extensionType />
    </Metric>


    Request Approved Splunk log.

    <?xml version="1.0" encoding="UTF-8"?>
    <Metric>
    <type>viewAccountPassword</type>
    <level>1</level>
    <description>
    <hashmap>
    <k>commandInitiator</k>
    <v>USER</v>
    <k>adminUserID</k>
    <v>USERXXXX</v>
    <k>reason</k>
    <v>Other</v>
    <k>Attribute.descriptor2</k>
    <v />
    <k>Attribute.descriptor1</k>
    <v />
    <k>cmdName</k>
    <v>viewAccountPassword</v>
    <k>reasonDetails</k>
    <v>Not required</v>
    <k>password</k>
    <v />
    <k>ExclusivePasswordViewRequest.machineId</k>
    <v>DASDASDSADAS/v>
    <k>TargetAccount.accessType</k>
    <v />
    <k>adminPassword</k>
    <v />
    <k>authentication</k>
    <v>CSPM</v>
    <k>TargetAccount.ID</k>
    <v>ASDSADAS</v>
    <k>TargetApplication.name</k>
    <v>ApplicationName/v>
    <k>PasswordViewRequest.ssoType</k>
    <v>Any</v>
    <k>TargetServer.hostName</k>
    <v>hostName</v>
    <k>GKCallback.gkrequest</k>
    <v>true</v>
    <k>TargetAccount.userName</k>
    <v>account</v>
    </hashmap>
    </description>
    <errorCode>0</errorCode>
    <userID>useruseruser</userID>
    <success>true</success>
    <originatingIPAddress>000.000.000.000</originatingIPAddress>
    <originatingHostName>localhost</originatingHostName>
    <extensionType />
    </Metric>


    You guys have some sample of log when the user see's the passwd?

    Thank you all.



  • 2.  RE: Splunk LOG'S

    Broadcom Employee
    Posted Sep 23, 2021 10:57 PM
    Hello Yan, the second message should be the actual password view event. The event generated when the approver approves the request has type "updatePasswordViewRequestStatus", not type "viewAccountPassword". You can see that the error code is 0, meaning the password view attempt was successful. The first event shows error code 4625, the password view was NOT successful, because it needed to be approved first.


  • 3.  RE: Splunk LOG'S

    Posted Sep 24, 2021 08:57 AM
    Thank you Ralf, managed to configure my alerts based on viewed password.