Re: Rest access audit

crsplunkr · ‎03-24-2023

looking for the best way to audit all users accessing REST endpoints

found a way to list users, but any way to limit this based on REST calls?

| rest /services/authentication/users splunk_server=*

Tom_Lundie · ‎03-24-2023

Your best bet is going to be the splunkd_access sourcetype.

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| stats values(user) as user
| mvexpand user

That being said, if you're auditing a SH, you're going to see lots of traffic from splunkweb.

To address this you could filter out the Splunk user agent (the risk with this is that user-agents can be modified):

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| regex useragent!="Splunkd?\/[\d\.]+ \("
| stats values(user) as user
| mvexpand user

Or filter out any localhost connections:

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>" clientip!="127.0.0.1"
| stats values(user) as user
| mvexpand user

Is there any way to limit list of users based on REST calls?

access control

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Is there any way to limit list of users based on REST calls?

access control

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases