Splunk Enterprise Security

Splunk Enterprise Security: Is it possible to create a correlation search on admin activity and if yes, what data model is suitable for it?

Rocky31
Path Finder

i want to see an event in incident review on admin activity, how to create a correlation search for, give me advice guys this is high priority.

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

You may want to look at some of the audit dashboards in ES and consider using them as a starting point for the correlation search you want to write. For example, the Search Audit dashboard has a panel that calculates run time, but it contains the search itself as well as the user and time. Drilling into it you can see that is uses the macro search_activity and then works on that to format the output and calculate time. You could potentially use that as a starting point and tweak to look at activity that a specific account name, like admin is doing. Correlation searches do not need to use data models though it makes a lot of sense to in most cases when dealing with sensors and endpoints that can be heterogenous.

0 Karma

hardikJsheth
Motivator

You can create correlation search as per your requirement, however there aren't any data models which you can use for this. For admin activities you should be able to get data from _internal index.

0 Karma

Rocky31
Path Finder

i mean what is best suitable application context.

0 Karma

Rocky31
Path Finder

Thanks for your reply. i don't see any internal index, you mean internal_audit_logs, splunk_audit.

Thanks,

0 Karma

hardikJsheth
Motivator

I meant _internal. You can search through this index

index=_internal

0 Karma

Rocky31
Path Finder

do i need admin access, to access this index.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The _ indexes (_internal, _audit) are often not available to standard users...also they are not searched by default so try the index=_internal and see if anything appears, if not run a query to check what index access you have...

0 Karma

Rocky31
Path Finder

index=_internal (action=edit) user=admin
| table _time,user,user_email,action,info

this is the search string i using, i checked in the roles access, i don't have access for _internal.

0 Karma

gjanders
SplunkTrust
SplunkTrust

I use
| eventcount summarize=f index=_* index=* | dedup index | table index

FYI, but if you don't have _internal access you won't see the various sources you need...

0 Karma