Splunk Search
Highlighted

How to set up an alert if a user makes a change to a group?

Path Finder

I am fairly new to splunk but I am trying to create a search that would send out an alert whenever a member of a certain group makes a change to any data in the group they are in.

For example, if group x has 10 members, I would want to search for any members in that group that would either add or delete a user into that group.

Thanks for the help.

Tags (3)
Highlighted

Re: How to set up an alert if a user makes a change to a group?

Influencer

How does your event data look like when a user performs addition or deletion? Provide some sample data and what you are expecting out of it..

0 Karma
Highlighted

Re: How to set up an alert if a user makes a change to a group?

Builder

Are you talking about internal Splunk groups & members? If so, the best thing would be to ensure those users don't have admin access if you don't want them changing group membership. Barring that, I don't see much in the internal index for security changes other than the webaccess & splunkdacccess logs. Even those don't have group membership details, however, you might assume that a POST to the auth pages (/en-US/manager/search/authentication/*) represented a change to something security wise. You may pick up some false positives when someone changes their password though.

View solution in original post

Highlighted

Re: How to set up an alert if a user makes a change to a group?

Builder

example search for auth changes in Splunk;

index=_internal host= method=POST "authentication"

It picked up the creation, group change, and password change events for the user I just tried out.

Highlighted

Re: How to set up an alert if a user makes a change to a group?

Path Finder

Thanks jeremiahc4. Used the

"index=_internal host= method=POST "authentication"

as an example and got it working for what i needed it to do