How do I search for unwanted user account or saved searches added by Hackers in Splunk Ent. / ES
Get a list of users using
| rest /services/authentication/users
It's up to you to figure out which are unwanted.
Search for saved searches this way:
| rest /servicesNS/-/-/saved/searches
then filter as necessary to locate Hackers.