Splunk Enterprise Security

Is there an Audit log that tracks changes to content in Splunk Enterprise Security?

john_glasscock
Path Finder

We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track down when someone changed content.

0 Karma

esalesapns2
Path Finder

On Splunk Enterprise 7.0.3, I can see write to content objects using the following search:

index=_internal sourcetype=splunkd_conf "data.task"=addCommit "data.optype_desc"=WRITE_STANZA

The data.asse_uri field has the object that was changed and the data.payload has more details For
example, data.payload.children.search.value has the search string written to a report.

jimmccarthy
New Member

Definitely, and I think Adonio is right: all depends what you're after. Given the circumstance you mentioned, audit.log & searches.log (if they piped the output of a search to delete) should have a record. Happy splunking!

http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/WhatSplunklogsaboutitself

0 Karma

adonio
Ultra Champion

yes sir,
what exactly are you after?

0 Karma

john_glasscock
Path Finder

I am trying to see who and when someone change a correlation search in Enterprise Security.

0 Karma

scannon4
SplunkTrust
SplunkTrust

John did you figure out how to do this?

0 Karma

adonio
Ultra Champion

absolutely,
great answers here:
https://answers.splunk.com/answers/387244/anyone-know-of-a-way-of-finding-the-last-modified.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html
there are more answers on this topic in this portal as well
look in _audit and _internal indexes.
you can narrow down by the correlation search name
hope it helps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...