Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to detect if somebody ran the delete command in a search?

pinVie
Path Finder
‎08-16-2016 04:39 AM

Hello all,

Is there any possibility to detect if somebody ran a | delete command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).

I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.

Thank you!

Reply

wplom
Engager
‎03-08-2023 02:08 PM

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:

index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"

 

0 Karma
Reply

acustomer
Explorer
‎04-24-2020 11:48 AM

I noticed Splunk isn't consistently extracting the search field for all events in the _audit index, so here's the syntax to just search _raw with regex:

index=_audit 
| regex _raw="\|\s*delete"
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎08-16-2016 04:48 AM

Hi pinVie, this command should work for reveal any search command that has delete in the search string:

index=_audit action=search info=granted search=* | where match(search,"delete")

Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:

| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword

Please let me know if this answers your question!

Reply

sundareshr
Legend
‎08-16-2016 08:04 PM

You may want to use ... | regex search="\|\s*delete" instead of ... | where match..., the where will match deleted.

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top