Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

List all created users with their roles.

omateusz
New Member
‎02-28-2020 02:41 AM

Hi,

I would like to see roles of created users not roles of user which created account, is there a way to to this? 

index=_audit action=edit_user operation=create 
| eval timestamp_formated=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N") 
| convert timeformat="%d/%b/%Y" ctime(timestamp_formated)
| eval timestamp = strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| join user 
    [| rest /services/authentication/users 
    | fields title roles 
    | rename title AS user ]
| rename object as created_user, user as created_by
| stats  values(roles) as user_roles values(timestamp) as timestamp values(host) as created_on by timestamp_formated created_user created_by 
| sort - timestamp
| fields - timestamp
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎02-29-2020 02:16 PM

Here is how we audit and figure out who is able to do what and slowly remove those who don't need it.

| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles 
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles 
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-29-2020 02:14 PM

You're joining on the field user, which is the creating user in your audit logs - the created user is in the field object.

Change your rename to AS object inside the join, and join on object.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...