https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519850#M9268 <P>I want to create a scheduled search that will track the <STRONG>changes made in content under Splunk Enterprise</STRONG> security app. If someone <STRONG>modifies correlation searches</STRONG> i want my query to capture it. Can this be achieved??</P> <P>Please help.</P> <P><SPAN>&nbsp;</SPAN></P> Thu, 17 Nov 2022 16:32:59 GMT ManishVilla7 2022-11-17T16:32:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519850#M9268 <P>I want to create a scheduled search that will track the <STRONG>changes made in content under Splunk Enterprise</STRONG> security app. If someone <STRONG>modifies correlation searches</STRONG> i want my query to capture it. Can this be achieved??</P> <P>Please help.</P> <P><SPAN>&nbsp;</SPAN></P> Thu, 17 Nov 2022 16:32:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519850#M9268 ManishVilla7 2022-11-17T16:32:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519908#M9270 <P>There's no good way to do that within Splunk.&nbsp; The audit logs may tell that someone touched a CS, but it won't say what changes were made.</P><P>Consider tracking your .conf files in a source management tool like git so you not only know when a change is made, but can revert to a previous instance if necessary.</P> Wed, 16 Sep 2020 12:45:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519908#M9270 richgalloway 2020-09-16T12:45:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519909#M9271 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;can we at-least get the info of who made the change, search name, time. I am not tracking the exact change made but who all made the changes.</P> Wed, 16 Sep 2020 12:50:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519909#M9271 ManishVilla7 2020-09-16T12:50:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519958#M9274 <P>Start with this query.&nbsp; Replace "<FONT face="courier new,courier">&lt;searchName&gt;</FONT>" with the URL-encoded name of the search you're interested in.&nbsp; Or use "saved/searches" for a generic search.</P><LI-CODE lang="markup">index=_internal "&lt;searchName&gt;" sourcetype=splunkd_ui_access source="*splunkd_ui_access.log" "POST"</LI-CODE><P>&nbsp;</P> Wed, 16 Sep 2020 15:29:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/519958#M9274 richgalloway 2020-09-16T15:29:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/520030#M9275 <P>Possibly use the rest command combined with Rich's internal search: (taken&nbsp; and edited from:&nbsp;<A href="https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Listcorrelationsearches" target="_blank">https://docs.splunk.com/Documentation/ES/6.3.0/Admin/Listcorrelationsearches</A>)</P><P><SPAN>| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",")&nbsp; | fields title, search, updated<BR /></SPAN></P><P>The Updated field represents when the correlation search was updated (changed) - I tested this on my own instance.&nbsp;</P><P>So, you could keep a list of enabled searches with their update times in a lookup table using that rest search. Then in a new correlation search compare the current rest results with the historic lookup table and if the update times are different - there was a change.</P><P>Then in the drill down of the correlation search you could pass the name of the search as a token and update time (using maybe earliest= and latest= in the search SPL with that token) and search on the internal index via Rich's search or something similar to find the user who made the change.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Sep 2020 23:12:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/520030#M9275 Jhunter 2020-09-16T23:12:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/554212#M9951 <P>I was searching for the same, then i developed this app for the community.&nbsp;<A href="https://splunkbase.splunk.com/app/4144/" target="_blank">https://splunkbase.splunk.com/app/4144/</A></P> Thu, 03 Jun 2021 07:26:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/554212#M9951 amitpanjawani 2021-06-03T07:26:32Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/621278#M11167 <P>Going through the audit logs I found this query helpful.</P><P>&nbsp;</P><P>index=_audit action=create_saved_search actions=* app=* disabled=* info=* user=*<BR />| table _time savedsearch user action actions app disabled info</P> Thu, 17 Nov 2022 16:29:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-can-we-track-changes-made-in-correlation-searches/m-p/621278#M11167 wabesman_OG 2022-11-17T16:29:10Z