Splunk Enterprise Security
Highlighted

Where is the log that shows when a ES correlated search is created, edited, or disabled?

Builder

I'd like to create an auditing like dashboard panel that shows the user, the name of the correlated rule, the action (creation, deletion, edit, enable/disable). I have looked around in the _* indexes and can't find it. Can someone point me in the right direction?

0 Karma
Highlighted

Re: Where is the log that shows when a ES correlated search is created, edited, or disabled?

Champion

Did you search for _audit index?

Also you can use this app:
https://splunkbase.splunk.com/app/4144/

Highlighted

Re: Where is the log that shows when a ES correlated search is created, edited, or disabled?

Splunk Employee
Splunk Employee

+1 on this app! @DEAD_BEEF you could grab the search from the app and use it to suit your needs as well.

0 Karma
Highlighted

Re: Where is the log that shows when a ES correlated search is created, edited, or disabled?

SplunkTrust
SplunkTrust

Did you try :

|rest /servicesNS/-/-/saved/searches splunk_server=local

This would show the owner, search, description, status etc.. and you can choose the fields that are of interest to you.

0 Karma