Splunk Search

Is there any way to detect if somebody ran the delete command in a search?

pinVie
Path Finder

Hello all,

Is there any possibility to detect if somebody ran a | delete command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).

I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.

Thank you!

wplom
Engager

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:

index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"

 

0 Karma

acustomer
Explorer

I noticed Splunk isn't consistently extracting the search field for all events in the _audit index, so here's the syntax to just search _raw with regex:

index=_audit 
| regex _raw="\|\s*delete"
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi pinVie, this command should work for reveal any search command that has delete in the search string:

index=_audit action=search info=granted search=* | where match(search,"delete")

Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:

| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword

Please let me know if this answers your question!

sundareshr
Legend

You may want to use ... | regex search="\|\s*delete" instead of ... | where match..., the where will match deleted.

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...