topic Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it? in Splunk Enterprise Security

Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31 — Tue, 24 Jan 2017 22:18:35 GMT

i want to see an event in incident review on admin activity, how to create a correlation search for, give me advice guys this is high priority.

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

hardikJsheth — Wed, 25 Jan 2017 09:33:42 GMT

You can create correlation search as per your requirement, however there aren't any data models which you can use for this. For admin activities you should be able to get data from _internal index.

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31 — Tue, 29 Sep 2020 12:35:48 GMT

Thanks for your reply. i don't see any internal index, you mean internal_audit_logs, splunk_audit.

Thanks,

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31 — Wed, 25 Jan 2017 14:41:39 GMT

i mean what is best suitable application context.

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

hardikJsheth — Fri, 27 Jan 2017 05:26:40 GMT

I meant _internal. You can search through this index

index=_internal

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31 — Fri, 27 Jan 2017 14:20:54 GMT

do i need admin access, to access this index.

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

gjanders — Tue, 29 Sep 2020 12:34:23 GMT

The _ indexes (_internal, _audit) are often not available to standard users...also they are not searched by default so try the index=_internal and see if anything appears, if not run a query to check what index access you have...

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31 — Tue, 29 Sep 2020 12:40:16 GMT

index=_internal (action=edit) user=admin
| table _time,user,user_email,action,info

this is the search string i using, i checked in the roles access, i don't have access for _internal.

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

gjanders — Tue, 31 Jan 2017 00:38:27 GMT

I use
| eventcount summarize=f index=_* index=* | dedup index | table index

FYI, but if you don't have _internal access you won't see the various sources you need...

Re: Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

jstoner_splunk — Thu, 02 Feb 2017 00:23:04 GMT

You may want to look at some of the audit dashboards in ES and consider using them as a starting point for the correlation search you want to write. For example, the Search Audit dashboard has a panel that calculates run time, but it contains the search itself as well as the user and time. Drilling into it you can see that is uses the macro search_activity and then works on that to format the output and calculate time. You could potentially use that as a starting point and tweak to look at activity that a specific account name, like admin is doing. Correlation searches do not need to use data models though it makes a lot of sense to in most cases when dealing with sensors and endpoints that can be heterogenous.