Splunk Search

deleted data - | delete - a query to prove this command has not been used and no data has been deleted?

r999
Path Finder

How can i tell if any data has been deleted using the | delete command?

how can i prove no data has been deleted?

Can i see if there are any flags against the data on the idnexers?

Does this command hide the data at Search Head leel or at the Indexer?

Edit: To clarify - i understand this command does not actually delete the data. i want to know if any admin user has given themself the can_delete privelege and deleted(hidden) data using |delete.

Tags (2)
1 Solution

jonuwz
Influencer

This search will show you if anyone has run the delete command :

index=_audit sourcetype=audittrail action=search search=*delete* 
| where match(search,"\|\s*delete")
| table search user

As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability

If you have the SoS application installed, you can run this search within the app :

| btool authorize | extract | where delete_by_keyword="enabled" | table stanza

to get a list of roles with the can_delete capability.

Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.

You might also consider signing the audit events so people cannot tamper with the results.

View solution in original post

jonuwz
Influencer

This search will show you if anyone has run the delete command :

index=_audit sourcetype=audittrail action=search search=*delete* 
| where match(search,"\|\s*delete")
| table search user

As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability

If you have the SoS application installed, you can run this search within the app :

| btool authorize | extract | where delete_by_keyword="enabled" | table stanza

to get a list of roles with the can_delete capability.

Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.

You might also consider signing the audit events so people cannot tamper with the results.

DaveSavage
Builder

I suspect the answer you seek is already covered in the knowledge base. Ses http://splunk-base.splunk.com/answers/30132/how-to-really-delete-not-hide-data-from-splunk for example.
You may need to differentiate in understanding between deleted (index content which does mean not available) and no longer in your system.
Good luck.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...