I want to set up a scheduled search that will look for the usage of the delete command in my environment.
This action is secured by the can_delete
user role currently.
This search will show you if anyone has run the delete command .. you can save this as a scheduled search..
index=_audit sourcetype=audittrail action=search search=*delete*
| where match(search,"\|\s*delete")
| table _time search user
Set you alert to this query. If count>0, alert
index=_audit sourcetype=audittrail delete | regex _raw="\|\s*delete"