Hi,
I am trying to find a way for Splunk to alert on any modifications made to user roles/capabilities that state whether a user has gained access to "delete". I have tried the following REST, but it does not alert when a user gains the delete capability. Any help would be appreciated.
| rest services/authorization/roles | search capabilities=delete_by_keyword
This REST command does not show history, only the current point in time. So it is not a useful way to see when something happened in the past.
From another answer, @AndySplunks said "I have saved searches (and correlations) looking for any activity in _audit for object='can_delete' and for any search activity that includes '| delete'"
That is probably a better way to go.
How about this
| rest services/authorization/roles | where isnotnull(mvfind(match(capabilities,"delete_by_keyword")))
This returns the following error:
Error in 'where' command: The arguments to the 'mvfind' function are invalid.
Opps, wrong function and a type. Try this
| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword")))
The results doesn't tell me which users have the "delete_by_keyword" capability. It just shows me which role has the capability in it.
Try this. This will give you list of users which have roles with delete capabilities.
| rest /services/authentication/users | table title roles | mvexpand roles
| where [| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword"))) | table title | rename title as roles]
Thanks @somesoni2, but its generating 0 events, which i know is not true because there are number of users with delete_by_ capabilities.
A place to start might be to make a request on the /users endpoint to look for users with this capability:
http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccess#authentication.2Fusers
There are a couple of additional suggestions/examples (including using an input to monitor a conf file for capability changes) in this related older thread that might help:
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html