I am trying to find a way for Splunk to alert on any modifications made to user roles/capabilities that state whether a user has gained access to "delete". I have tried the following REST, but it does not alert when a user gains the delete capability. Any help would be appreciated.
| rest services/authorization/roles | search capabilities=delete_by_keyword
This REST command does not show history, only the current point in time. So it is not a useful way to see when something happened in the past.
From another answer, @AndySplunks said "I have saved searches (and correlations) looking for any activity in _audit for object='can_delete' and for any search activity that includes '| delete'"
That is probably a better way to go.
Try this. This will give you list of users which have roles with delete capabilities.
| rest /services/authentication/users | table title roles | mvexpand roles | where [| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword"))) | table title | rename title as roles]
A place to start might be to make a request on the /users endpoint to look for users with this capability:
There are a couple of additional suggestions/examples (including using an input to monitor a conf file for capability changes) in this related older thread that might help: