I specifically want there to be an alert if anyone is granted "can_delete" role or "delete_by_keyword" capability. Is there a way to do this?
How about this as a scheduled search for the REST API?
| rest /services/authentication/users splunk_server=local count=0 | where capabilities="delete_by_keyword"
You'd probably want the auditing solution of did anyone exercise the right as suggested by @AndySplunks as well, because this only reports current state (and if someone adds the capability and removes it between runs you may not catch them).
You probably also ideally have externalized authorization, and could also use a search of auditing of group membership changes in your LDAP or external system as well as an option.
I've been looking for an elegant solution for this issue as well. I've got two searches that aren't ideal but work.
I have saved searches (and correlations) lookingfor any activity in _audit for object="can_delete" and for any search activity that includes "| delete"
AFAIK, not directly. I checked out the Splunk internal log files and they don't seem to track to this level of detail. You could write a scripted input though, that regularly checks out all the authorize.conf
files in your Splunk instance. If any of them change, and the change includes either of the strings "can_delete" or "delete_by_keyword", the scripted input could output the information, which would then be indexed in Splunk (hopefully to a special index). Now you could write a search/alert based on that data...
Seems like a long way to go around, but it isn't really that tough.
Would you have a sample script for the above to take place?