Reporting

How to create a daily report that displays the activities of Splunk native “admin” user when they make configuration changes through Splunk Web?

mlevsh
Builder

We need to be able to create a scheduled daily report that displays the activities of Splunk native “admin” user when he/she is making config changes through Splunk Web.

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:

index=_audit user=admin action=*

Should get you started.

Please let me know if this answers your question! 😄

View solution in original post

somesoni2
Revered Legend

Give this a try as well. This give edits (POST) activities performed by admin user (the uri field will contain the REST API reference of the object being updated). Not fully tested, I've tried to remove all non-relevant stuffs, but you can test (make some changes using admin user on a test Splunk instance and check the result).

index=_internal sourcetype=*access* user=admin NOT (method=GET OR uri=*/jobs* OR uri=*intentionsparser* OR uri=/splunk/en-US* OR uri=*/auth/login*)
0 Karma

mlevsh
Builder

@somesoni2, I will certainly try all suggestions.

Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.

So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:

index=_audit user=admin action=*

Should get you started.

Please let me know if this answers your question! 😄

mlevsh
Builder

@muebel, it'll definitely get me started. Thank you! It won't show me exact changes were made, right? For example, if admin created or deleted user and that user's name.

0 Karma

muebel
SplunkTrust
SplunkTrust

each action has a different set of associated fields, so in the case of a user edit it should also have the user edited. You'd have to nail down exactly which actions you care about, and then formulate tables / visualizations in order to present the events.

0 Karma

mlevsh
Builder

@muebel, thank you! I have started to run test searches and see that info is available in object and operation fields

0 Karma

muebel
SplunkTrust
SplunkTrust

glad to hear 😄 please don't forget to accept 😄

0 Karma

mlevsh
Builder

@muebel, just did!

I was wondering if you might have some other suggestions for our situation: Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.

So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.

0 Karma

muebel
SplunkTrust
SplunkTrust

as long as you have some LDAP users in the admin role, one solution to this would be to simply delete the default admin user.

Otherwise you could alert on any _audit events for the admin user.

mlevsh
Builder

@muebel, we need to run splunk commands from a command line (splunk reload deploy-server, for example) and we cannot do it with our AD based users even though they are mapped to an admin role. We are getting "An authentication error occurred: Client is not authenticated"

It prevents us from disabling admin user

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...