Hello all,
Is there any possibility to detect if somebody ran a | delete
command?
I do know about the "can delete" permission and currently, it is not assigned to anyone, but this might change in the future (I will hand over Splunk responsibility to someone else).
I tried to find some _internal logs that mention a previously executed delete command (on demo data of course 🙂 ) but I could not find any.
Thank you!
Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that:
index=_audit action=search
| regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"
I noticed Splunk isn't consistently extracting the search
field for all events in the _audit
index, so here's the syntax to just search _raw
with regex
:
index=_audit
| regex _raw="\|\s*delete"
Hi pinVie, this command should work for reveal any search command that has delete in the search string:
index=_audit action=search info=granted search=* | where match(search,"delete")
Additionally, you can set this up as an alert to reveal whenever a user is granted the can_delete capability:
| rest splunk_server=local /services/authentication/users | search capabilities=delete_by_keyword
Please let me know if this answers your question!
You may want to use ... | regex search="\|\s*delete"
instead of ... | where match...
, the where
will match deleted
.