Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way to detect if somebody ran the delete command in a search?

pinVie
Path Finder
‎08-16-2016 04:39 AM

Hello all,

Is there any possibility to detect if somebody ran a | delete command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).

I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.

Thank you!

Reply

wplom
Engager
‎03-08-2023 02:08 PM

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:

index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"

 

0 Karma
Reply

acustomer
Explorer
‎04-24-2020 11:48 AM

I noticed Splunk isn't consistently extracting the search field for all events in the _audit index, so here's the syntax to just search _raw with regex:

index=_audit 
| regex _raw="\|\s*delete"
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎08-16-2016 04:48 AM

Hi pinVie, this command should work for reveal any search command that has delete in the search string:

index=_audit action=search info=granted search=* | where match(search,"delete")

Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:

| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword

Please let me know if this answers your question!

Reply

sundareshr
Legend
‎08-16-2016 08:04 PM

You may want to use ... | regex search="\|\s*delete" instead of ... | where match..., the where will match deleted.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...