Security

Is there any way to limit list of users based on REST calls?

crsplunkr
Loves-to-Learn Everything

looking for the best way to audit all users accessing REST endpoints

found a way to list users, but any way to limit this based on REST calls?

| rest /services/authentication/users splunk_server=*
Labels (1)
0 Karma

Tom_Lundie
Contributor

Your best bet is going to be the splunkd_access sourcetype.

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| stats values(user) as user
| mvexpand user

That being said, if you're auditing a SH, you're going to see lots of traffic from splunkweb.

To address this you could filter out the Splunk user agent (the risk with this is that user-agents can be modified):  

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>"
| regex useragent!="Splunkd?\/[\d\.]+ \("
| stats values(user) as user
| mvexpand user

 

 Or filter out any localhost connections:

index="_internal" sourcetype="splunkd_access" host="<<SPLUNKHOST>>" clientip!="127.0.0.1"
| stats values(user) as user
| mvexpand user​
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...