Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to detect if somebody ran the delete command in a search?

pinVie
Path Finder
‎08-16-2016 04:39 AM

Hello all,

Is there any possibility to detect if somebody ran a | delete command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).

I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.

Thank you!

Reply

wplom
Engager
‎03-08-2023 02:08 PM

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:

index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"

 

0 Karma
Reply

acustomer
Explorer
‎04-24-2020 11:48 AM

I noticed Splunk isn't consistently extracting the search field for all events in the _audit index, so here's the syntax to just search _raw with regex:

index=_audit 
| regex _raw="\|\s*delete"
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎08-16-2016 04:48 AM

Hi pinVie, this command should work for reveal any search command that has delete in the search string:

index=_audit action=search info=granted search=* | where match(search,"delete")

Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:

| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword

Please let me know if this answers your question!

Reply

sundareshr
Legend
‎08-16-2016 08:04 PM

You may want to use ... | regex search="\|\s*delete" instead of ... | where match..., the where will match deleted.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...