Skip to main content
Splunk Lantern

Google account passwords changed via Google Chrome

You need to search for scenarios where a user has changed the password for their signed-in Google account, affecting other services depending on this authorization. This event is triggered when the user resets their password for the first-signed-in user account, see Chrome audit log for more details. Within Google Chrome, this is indicated by the event type passwordReuseEvent. This behaviour is not inherently malicious, however you may wish to correlate it with other activities seen to assess whether it warrants further investigation

Required data

Ensure you are using the recommended Splunk Common Information Model (CIM) Change (Account Management dataset) data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the CIM. For information on installing and using the CIM, see the Common Information Model documentation.

Procedure

  1. Use field mapping to correlate the fields:
Field CIM alias

device_user

user
user_name
src_user
src_user_name

event

change_type

device_name

dest

user_agent

-

os_platform

-

browser_version

-

device_id

dvc

client_type

vendor_product

time

-

 

3. Look for examples of activity, for example:

{
  "device_user": "test_user_11",
  "event": "passwordChangedEvent",
  "device_name": "test_user_11-macbookpro2",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36",
  "os_platform": "Mac OS X 10.15",
  "browser_version": "87.0.4280.141",
  "device_id": "C02XK3KGJGH5",
  "client_type": "CHROME_BROWSER",
  "time": "1612052810.0"
}

Next steps

While not inherently suspicious, correlating password changes with activity can identify compromised account behavior. Events that appear should be investigated further and assessed against your organizational policies in this area.

Finally, you might be interested in other processes associated with the Improving Google Chrome security use case.