I am looking to audit any user that uploads to splunk through the User interface or REST API
After doing some investigation I have found that the endpoints /services/app/local is the REST API endpoint that can be used to post an application. I was wondering whether splunk internally posts to that API when you utilise the GUI so by auditing that log you can get both use cases.
I have crafted the below search to isolate these events and confirmation that this works would be awesome!
index=_internal sourcetype=splunkd_access /services/apps/local method=POST
Appreciate all assistance.