Splunk Enterprise Security

Finding Changes To Audit Mechanisms or Audit/Data Logs

gthomas719
New Member

Was hoping someone could give me some assistance with finding changes to audit mechanisms or changes to audit/data logs. Basically I'm trying to find out if someone has changed auditing policy or logs to try to hide nefarious activities from being captured in both Linux and Windows. I know Windows has EventCodes such as 4715, 4719, 4908, and 4912 that are audited, even if audit is changed or turned off, but am I missing something else, and what is the best way to try to find it in Linux?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...