Splunk Search

how to search for admins who make changes to their own accounts?

ajmach343
Observer

I am trying to make a search that will fire only when an admin makes a change to their own account.

I want to know if a-johndoe gives multiple permissions to a-johndoe and NOT if a-johndoe gives permissions to a-janedoe. 

would i use an IF statement for this?

 

Thank you

Labels (2)
0 Karma

ajmach343
Observer

apologies, this will be for windows event logs and Ivanti logs. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What data are you talking about?

Splunk account changes? Windows Event Logs? Some (what) Linux audit logs?

If your data is CIM-normalized, you should use Change.Account_Management dataset.

0 Karma

ajmach343
Observer

was able to figure it out!

needed to just use an IF statement. 

| eval testuser=if(admin=target,1,0)
| where testuser=1
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...