Splunk Enterprise Security

Where is the log that shows when a ES correlated search is created, edited, or disabled?

Builder

I'd like to create an auditing like dashboard panel that shows the user, the name of the correlated rule, the action (creation, deletion, edit, enable/disable). I have looked around in the _* indexes and can't find it. Can someone point me in the right direction?

0 Karma

SplunkTrust
SplunkTrust

Did you try :

|rest /servicesNS/-/-/saved/searches splunk_server=local

This would show the owner, search, description, status etc.. and you can choose the fields that are of interest to you.

0 Karma

Champion

Did you search for _audit index?

Also you can use this app:
https://splunkbase.splunk.com/app/4144/

Splunk Employee
Splunk Employee

+1 on this app! @DEAD_BEEF you could grab the search from the app and use it to suit your needs as well.

0 Karma