Solved: Need SPLs to list the current users in Splunk Ent....

SamHTexas · ‎05-29-2021

Need SPLs to list the current users in Splunk Ent. and ES. Plus listing unauthorized accts created / deleted. Thank u very much in advance.

richgalloway · ‎05-29-2021

To get a list of Splunk users, start with this REST command

| rest /services/authentication/users

To find newly created or deleted accounts, try this search. It's up to you to determine if they're authorized or not. As far as Splunk is concerned, someone with the right capabilities created or deleted the account so it must be authorized.

index=_audit action IN (create_user remove_user)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

SamHTexas · ‎05-29-2021

Thank u sir as always.

richgalloway · ‎05-29-2021

To get a list of Splunk users, start with this REST command

| rest /services/authentication/users

To find newly created or deleted accounts, try this search. It's up to you to determine if they're authorized or not. As far as Splunk is concerned, someone with the right capabilities created or deleted the account so it must be authorized.

index=_audit action IN (create_user remove_user)

---
If this reply helps you, Karma would be appreciated.

Need SPLs to list the current users in Splunk Ent. and ES. Plus listing unauthorized accts created / deleted. Thank u

monitoring console

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...