Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to audit capability assignment?

afx
Contributor
‎05-13-2019 07:24 AM

Hi,

I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.

Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.

thx
afx

0 Karma
Reply

CarlBecker
Observer
‎07-18-2022 02:32 AM

The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.

0 Karma
Reply

JS400016
New Member
‎10-20-2020 07:12 PM

Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role. 

Not sure if you were able to create this alert. I was not able to find any useful info online.

I will really appreciate if you can share some insight.

 

Thanks

JS

 

 

0 Karma
Reply

afx
Contributor
‎05-13-2019 11:59 PM

The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.

cheers
afx

0 Karma
Reply

adonio
Ultra Champion
‎05-13-2019 05:22 PM

this is probably the basis for that:
index=_audit source=audittrail operation=edit action=edit_roles

there are many answers in this portal answering the exact same question
using _audit
https://answers.splunk.com/answers/552114/how-can-i-audit-changes-made-to-splunk-role-index.html
https://answers.splunk.com/answers/676586/how-to-track-if-assigned-role-has-been-changed-for.html
using | rest
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
https://answers.splunk.com/answers/186454/how-to-monitor-role-changes.html

hope it helps

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...