- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to limit list of users based on REST calls?
crsplunkr
Loves-to-Learn Everything
03-24-2023
02:03 PM
looking for the best way to audit all users accessing REST endpoints
found a way to list users, but any way to limit this based on REST calls?
| rest /services/authentication/users splunk_server=*- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tom_Lundie
Contributor
03-24-2023
03:41 PM
Your best bet is going to be the splunkd_access sourcetype.
index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| stats values(user) as user
| mvexpand userThat being said, if you're auditing a SH, you're going to see lots of traffic from splunkweb.
To address this you could filter out the Splunk user agent (the risk with this is that user-agents can be modified):
index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| regex useragent!="Splunkd?\/[\d\.]+ \("
| stats values(user) as user
| mvexpand user
Or filter out any localhost connections:
index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>" clientip!="127.0.0.1"
| stats values(user) as user
| mvexpand user
