Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to detect if somebody ran the delete command in a search?

pinVie
Path Finder
‎08-16-2016 04:39 AM

Hello all,

Is there any possibility to detect if somebody ran a | delete command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).

I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.

Thank you!

Reply

wplom
Engager
‎03-08-2023 02:08 PM

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:

index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"

 

0 Karma
Reply

acustomer
Explorer
‎04-24-2020 11:48 AM

I noticed Splunk isn't consistently extracting the search field for all events in the _audit index, so here's the syntax to just search _raw with regex:

index=_audit 
| regex _raw="\|\s*delete"
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎08-16-2016 04:48 AM

Hi pinVie, this command should work for reveal any search command that has delete in the search string:

index=_audit action=search info=granted search=* | where match(search,"delete")

Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:

| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword

Please let me know if this answers your question!

Reply

sundareshr
Legend
‎08-16-2016 08:04 PM

You may want to use ... | regex search="\|\s*delete" instead of ... | where match..., the where will match deleted.

Reply
Get Updates on the Splunk Community!

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
li.common.scroll-to.top