How to run a search to determine whether an app has been uploaded through GUI/Rest API?

New Member

I am looking to audit any user that uploads to splunk through the User interface or REST API 

After doing some investigation I have found that the endpoints /services/app/local is the REST API endpoint that can be used to post an application. I was wondering whether splunk internally posts to that API when you utilise the GUI so by auditing that log you can get both use cases. 

I have crafted the below search to isolate these events and confirmation that this works would be awesome!

index=_internal sourcetype=splunkd_access /services/apps/local method=POST

Appreciate all assistance. 

Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...