topic Re: A splunk query to fetch Admin activity inside splunk in Security

A splunk query to fetch Admin activity inside splunk

Zorghost — Fri, 07 Feb 2025 13:10:03 GMT

Hello everyone,

I am planning to automate a process where we need to archive admin activity for splunk application.

For that I would require a query to fetch all the privileged actions conducted by admins inside splunk application. My first thought is to use the following query:

index=_audit sourcetype="audittrial" action=edit* OR action=create* OR action=delete* OR action=restart*

Unfortunately, this query is emitting a lot of data ( around 900MB per day ) which the platform that I am using for automation can´t work with.

=> Is there maybe any query that I can use to get the data I need in a more specific way to the point where it reduces the size to 20 MB or something ?

I would appreciate any help and thank you in advance !

Re: A splunk query to fetch Admin activity inside splunk

gcusello — Fri, 07 Feb 2025 13:17:37 GMT

Hi @Zorghost ,

sorry but it isn't clear for me what do you want to do:

what do you mean with "archive"?

Splunk audit logs are in the index _audit that by default is maintained fro 6 years.

In addition I don't understand what do you mea with 900 MB/day, maybe do you extract these data? why?

Anyway, you could group data that are relevant for you and extract only them.

If you want, you could extract grouped data in a summary index and store in that index these data.

Ciao.

Giuseppe

Re: A splunk query to fetch Admin activity inside splunk

Zorghost — Fri, 07 Feb 2025 13:32:10 GMT

Thank you for the reply @gcusello ,

I want to extract the data from that index -> process it -> send it to a file share.

The issue is that I can´t work with data that is more than 20 MB in the platform that I am using to automate this process. Therefore, I m looking for a more specific query to get smaller size data.

Re: A splunk query to fetch Admin activity inside splunk

gcusello — Fri, 07 Feb 2025 14:15:13 GMT

Hi @Zorghost ,

It isn't so clear because you have th same information available on Splunk and in dynamic way instead in static way on the share.

Anyway, you have to define a search to extract only the fields you need, not all the full events; in this way, you'll reduct so much the number of data to extract.

Ciao.

Giuseppe

Re: A splunk query to fetch Admin activity inside splunk

Zorghost — Tue, 11 Feb 2025 07:39:10 GMT

Thank you again for the support @gcusello

I currently don´t have visibility on _audit index in splunk. Do you maybe know if it is possible as well to filter the data based on the user type ? like for example : user=admin ? what other users in splunk would exist with administrative privileges as well ?

Are there any standard fields that exist in the _audit index that you think are enough to be archived while delivering the important details of the audit event ?

I would really appreciate any help !

Re: A splunk query to fetch Admin activity inside splunk

gcusello — Tue, 11 Feb 2025 13:11:25 GMT

Hi @Zorghost ,

let me understand: you need to access _audit index but you aren't anabled to it and you would have a copy of these logs accessible for you, is it correct?

If this is your requirement, the easiest way is obviously to be enabled to access _audit index!

Otherwise, you could schedule a search (having the administrative grants) that copies the _audit index in a summary index, so you can access it in Splunk.

Ciao.

Giuseppe

Re: A splunk query to fetch Admin activity inside splunk

Zorghost — Tue, 11 Feb 2025 13:31:56 GMT

Hi @gcusello and thanks again for your reply !

What I want is a query that I can use to fetch only the important fields from the _audit index to get visibility on the admin activity events. What I currently have is :

index=_audit sourcetype="audittrial" action=edit* OR action=create* OR action=delete* OR action=restart*

I want to get the least possible amount of data volume while getting the needed information to construct the audit events.

Re: A splunk query to fetch Admin activity inside splunk

gcusello — Tue, 11 Feb 2025 13:41:56 GMT

Hi @Zorghost ,

at first, there's a mistyping error:

not auditrial but audittrail

Then analyzing the results of your search I see seom interesting fields:

_time
use
dest
action
info

But I don't think that you need external help for this!

Ciao.

Giuseppe