Find passwords in User_Name field

This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event.   Below example is for Windows failed login.  The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 digit and 1 special character.  This search also assumes you have the “User_Name” field being extracted from windows event logs.  Adjust as needed.

 source=WinEventLog:Security TaskCategory=Logon Keywords="Audit Failure" | eval password=if(match(User_Name, "^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[\W])(?=.{10,})"), "Yes", "No") | stats count by password User_Name | search password=Yes
Share This:

Leave A Comment?