Alerting

Can Splunk search/alert when there is a change to a user's capabilities?

ricercar
Explorer

I specifically want there to be an alert if anyone is granted "can_delete" role or "delete_by_keyword" capability. Is there a way to do this?

0 Karma

acharlieh
Influencer

How about this as a scheduled search for the REST API?

| rest /services/authentication/users splunk_server=local count=0 | where capabilities="delete_by_keyword"

You'd probably want the auditing solution of did anyone exercise the right as suggested by @AndySplunks as well, because this only reports current state (and if someone adds the capability and removes it between runs you may not catch them).

You probably also ideally have externalized authorization, and could also use a search of auditing of group membership changes in your LDAP or external system as well as an option.

0 Karma

AndySplunks
Communicator

I've been looking for an elegant solution for this issue as well. I've got two searches that aren't ideal but work.

I have saved searches (and correlations) lookingfor any activity in _audit for object="can_delete" and for any search activity that includes "| delete"

lguinn2
Legend

AFAIK, not directly. I checked out the Splunk internal log files and they don't seem to track to this level of detail. You could write a scripted input though, that regularly checks out all the authorize.conf files in your Splunk instance. If any of them change, and the change includes either of the strings "can_delete" or "delete_by_keyword", the scripted input could output the information, which would then be indexed in Splunk (hopefully to a special index). Now you could write a search/alert based on that data...

Seems like a long way to go around, but it isn't really that tough.

0 Karma

naqviah1
New Member

Would you have a sample script for the above to take place?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...