I am looking to monitor permissions for anything that has the everyone permission that is created by a normal user with the following query:
| rest /servicesNS/-/search/directory
| search author!=nobody AND author!=admin
| fields title, eai:type, author, disabled, eai:acl.perms.read, eai:acl.perms.write
| rename eai:* AS *, acl.* AS *
| where 'perms.write'="*" OR 'perms.read'="*"
| search NOT type IN (views, commands, macros, *lookup*, *extract*, fvtags, fieldaliases, nav, eventtypes)
Which is fine but what I really want to do is then have it change those everyone permissions to our base user (which is the inheritance point for all other groups and all users are put in it). So I want to make it as a self remediating alert.
Thing is I can't find anything on changing permissions with the splunk query language and being a cloud instance I don't have access to the cli.