Splunk Search

Changes to user or group privileges


Hi all.
This rule has been driving me crazy for a while now, and the teams working on it too.

Just looking for a way to track standard commands for user and/or group modifications.

I tried using the built in syslog keys [index="*" (sourcetype="syslog" (key=user_modification OR key=group_modification OR key=etcgroup OR key=etcpasswd)]

and while this works, it throws up so many false positives such as users whose password is changed by CyberArc. 

Has anyone had a similar issue and how did you best fix/monitor it?

Labels (2)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!