Security

How to run a search to determine whether an app has been uploaded through GUI/Rest API?

scampers
New Member

I am looking to audit any user that uploads to splunk through the User interface or REST API 

After doing some investigation I have found that the endpoints /services/app/local is the REST API endpoint that can be used to post an application. I was wondering whether splunk internally posts to that API when you utilise the GUI so by auditing that log you can get both use cases. 

I have crafted the below search to isolate these events and confirmation that this works would be awesome!

index=_internal sourcetype=splunkd_access /services/apps/local method=POST

Appreciate all assistance. 

Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...