Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31
Path Finder
‎01-24-2017 02:18 PM

i want to see an event in incident review on admin activity, how to create a correlation search for, give me advice guys this is high priority.

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎02-01-2017 04:23 PM

You may want to look at some of the audit dashboards in ES and consider using them as a starting point for the correlation search you want to write. For example, the Search Audit dashboard has a panel that calculates run time, but it contains the search itself as well as the user and time. Drilling into it you can see that is uses the macro search_activity and then works on that to format the output and calculate time. You could potentially use that as a starting point and tweak to look at activity that a specific account name, like admin is doing. Correlation searches do not need to use data models though it makes a lot of sense to in most cases when dealing with sensors and endpoints that can be heterogenous.

0 Karma
Reply

hardikJsheth
Motivator
‎01-25-2017 01:33 AM

You can create correlation search as per your requirement, however there aren't any data models which you can use for this. For admin activities you should be able to get data from _internal index.

0 Karma
Reply

Rocky31
Path Finder
‎01-25-2017 06:41 AM

i mean what is best suitable application context.

0 Karma
Reply

Rocky31
Path Finder
‎01-25-2017 06:28 AM

Thanks for your reply. i don't see any internal index, you mean internal_audit_logs, splunk_audit.

Thanks,

0 Karma
Reply

hardikJsheth
Motivator
‎01-26-2017 09:26 PM

I meant _internal. You can search through this index

index=_internal

0 Karma
Reply

Rocky31
Path Finder
‎01-27-2017 06:20 AM

do i need admin access, to access this index.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎01-28-2017 06:41 PM

The _ indexes (_internal, _audit) are often not available to standard users...also they are not searched by default so try the index=_internal and see if anything appears, if not run a query to check what index access you have...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

Rocky31
Path Finder
‎01-30-2017 12:18 PM

index=_internal (action=edit) user=admin
| table _time,user,user_email,action,info

this is the search string i using, i checked in the roles access, i don't have access for _internal.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎01-30-2017 04:38 PM

I use
| eventcount summarize=f index=_* index=* | dedup index | table index

FYI, but if you don't have _internal access you won't see the various sources you need...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top