Is there any way to limit list of users based on R...

crsplunkr · ‎03-24-2023

looking for the best way to audit all users accessing REST endpoints

found a way to list users, but any way to limit this based on REST calls?

| rest /services/authentication/users splunk_server=*

Tom_Lundie · ‎03-24-2023

Your best bet is going to be the splunkd_access sourcetype.

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| stats values(user) as user
| mvexpand user

That being said, if you're auditing a SH, you're going to see lots of traffic from splunkweb.

To address this you could filter out the Splunk user agent (the risk with this is that user-agents can be modified):

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| regex useragent!="Splunkd?\/[\d\.]+ \("
| stats values(user) as user
| mvexpand user

Or filter out any localhost connections:

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>" clientip!="127.0.0.1"
| stats values(user) as user
| mvexpand user

Is there any way to limit list of users based on REST calls?

access control

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Is there any way to limit list of users based on REST calls?

access control

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...