Security

How do I search for unwanted user account or saved searches added by Hackers in Splunk Ent. / ES

SamHTexas
Builder

How do I search for unwanted user account or saved searches added by Hackers in Splunk Ent. / ES

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Get a list of users using

| rest /services/authentication/users

It's up to you to figure out which are unwanted.

Search for saved searches this way:

| rest /servicesNS/-/-/saved/searches

then filter as necessary to locate Hackers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.