Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Is there an Audit log that tracks changes to conte...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there an Audit log that tracks changes to content in Splunk Enterprise Security?
john_glasscock
Path Finder
05-02-2017
05:21 AM
We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track down when someone changed content.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
esalesapns2
Communicator
05-13-2019
01:03 PM
On Splunk Enterprise 7.0.3, I can see write to content objects using the following search:
index=_internal sourcetype=splunkd_conf "data.task"=addCommit "data.optype_desc"=WRITE_STANZA
The data.asse_uri field has the object that was changed and the data.payload has more details For
example, data.payload.children.search.value has the search string written to a report.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jimmccarthy
New Member
05-02-2017
09:06 AM
Definitely, and I think Adonio is right: all depends what you're after. Given the circumstance you mentioned, audit.log & searches.log (if they piped the output of a search to delete) should have a record. Happy splunking!
http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/WhatSplunklogsaboutitself
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
05-02-2017
05:36 AM
yes sir,
what exactly are you after?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
john_glasscock
Path Finder
05-02-2017
05:59 AM
I am trying to see who and when someone change a correlation search in Enterprise Security.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
scannon4
Communicator
02-14-2018
06:22 AM
John did you figure out how to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
adonio
Ultra Champion
05-02-2017
06:10 AM
absolutely,
great answers here:
https://answers.splunk.com/answers/387244/anyone-know-of-a-way-of-finding-the-last-modified.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html
there are more answers on this topic in this portal as well
look in _audit and _internal indexes.
you can narrow down by the correlation search name
hope it helps
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
