I am fairly new to splunk but I am trying to create a search that would send out an alert whenever a member of a certain group makes a change to any data in the group they are in.
For example, if group x has 10 members, I would want to search for any members in that group that would either add or delete a user into that group.
Thanks for the help.
Are you talking about internal Splunk groups & members? If so, the best thing would be to ensure those users don't have admin access if you don't want them changing group membership. Barring that, I don't see much in the _internal index for security changes other than the webaccess & splunkd_acccess logs. Even those don't have group membership details, however, you might assume that a POST to the auth pages (/en-US/manager/search/authentication/*) represented a change to something security wise. You may pick up some false positives when someone changes their password though.
Are you talking about internal Splunk groups & members? If so, the best thing would be to ensure those users don't have admin access if you don't want them changing group membership. Barring that, I don't see much in the _internal index for security changes other than the webaccess & splunkd_acccess logs. Even those don't have group membership details, however, you might assume that a POST to the auth pages (/en-US/manager/search/authentication/*) represented a change to something security wise. You may pick up some false positives when someone changes their password though.
Thanks jeremiahc4. Used the
"index=_internal host=
as an example and got it working for what i needed it to do
example search for auth changes in Splunk;
index=_internal host=
It picked up the creation, group change, and password change events for the user I just tried out.
How does your event data look like when a user performs addition or deletion? Provide some sample data and what you are expecting out of it..