Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to audit capability assignment?

afx
Contributor
‎05-13-2019 07:24 AM

Hi,

I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.

Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.

thx
afx

0 Karma
Reply

CarlBecker
Observer
‎07-18-2022 02:32 AM

The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.

0 Karma
Reply

JS400016
New Member
‎10-20-2020 07:12 PM

Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role. 

Not sure if you were able to create this alert. I was not able to find any useful info online.

I will really appreciate if you can share some insight.

 

Thanks

JS

 

 

0 Karma
Reply

afx
Contributor
‎05-13-2019 11:59 PM

The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.

cheers
afx

0 Karma
Reply

adonio
Ultra Champion
‎05-13-2019 05:22 PM

this is probably the basis for that:
index=_audit source=audittrail operation=edit action=edit_roles

there are many answers in this portal answering the exact same question
using _audit
https://answers.splunk.com/answers/552114/how-can-i-audit-changes-made-to-splunk-role-index.html
https://answers.splunk.com/answers/676586/how-to-track-if-assigned-role-has-been-changed-for.html
using | rest
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
https://answers.splunk.com/answers/186454/how-to-monitor-role-changes.html

hope it helps

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...