Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Capture "Splunk Enterprise Security" Changes

sumanssah
Communicator
‎09-05-2017 03:00 PM

Hello All,

Is there is any way to identify "whats all changes performed on Splunk Enterprise Security" .
Example : Change in Correlation Search , Search Name , Description, drill-down search etc.

Trying to capture all kind of changes done by any user in "Splunk Enterprise Security".

Thanks in advance.

0 Karma
Reply

sumanssah
Communicator
‎03-01-2020 03:29 AM

try this 

index=_internal sourcetype=splunkd_ui_access method=post uri="*/saved/searches/*" | rex field=uri "\/saved\/searches\/(?P<title>.*?)(?:\/|$|\?)"| eval title=urldecode(title) |convert ctime(_time) as timestamp|stats count by title,user,timestamp,bytes|sort -timestamp | join title[| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches|stats count by title,search,updated,cron_schedule,"eai:acl.perms.write",disabled]

Schedule this search and save it to a different index and compare it for changes with the latest result.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-05-2017 06:16 PM

Everything should be in 'index=_audit' or 'index=_internal source=*search.log'.

If they make a change to a conf file via UI, it will show in _audit. If they send data via email, etc, that would be found in search.log

Reply

jkat54
SplunkTrust
SplunkTrust
‎09-05-2017 06:20 PM

Also check out the change analysis datamodel.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...