How can you filter Splunk logs to determine what changed in a Password Composition Policy
search cancel

How can you filter Splunk logs to determine what changed in a Password Composition Policy

book

Article ID: 370209

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Admin is trying to determine who, what and when a certain PAM Password Composition Policy changed in their PAM Environment.

Environment

PAM 4.1.x

Resolution

In Splunk, for Password Composition Policies, you will see the following tag: <when Splunk is configured with Space Delimited Message Format>

audit DETAIL Password.Composition.Policy

The next thing you need to know, is the Create.Date and Update.Date are in Unix epoch time.  If they are the same, then it was just created.  If different - it was updated.

So you can use the following search:

host="<pam ip>" "Password.Composition.Policy" "Name=<PCP Name>"

will give you a history of said PCP.  Then you can take the output of the Splunk message and do a DIFF on it to see what was changed.

Example, if you change the value "Maximum Length" from 18 to 15 in a PCP and the one Splunk message, will have the original value in it:

Attribute.Name=maxLength Attribute.Value=18

and the new one of:

Attribute.Name=maxLength Attribute.Value=15

Powered by Wolken Software