Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to alert on modifications made to user role and capability?

naqviah
Explorer
‎02-23-2017 11:34 AM

Hi,

I am trying to find a way for Splunk to alert on any modifications made to user roles/capabilities that state whether a user has gained access to "delete". I have tried the following REST, but it does not alert when a user gains the delete capability. Any help would be appreciated.

| rest services/authorization/roles | search capabilities=delete_by_keyword
Reply

lguinn2
Legend
‎02-24-2017 07:58 AM

This REST command does not show history, only the current point in time. So it is not a useful way to see when something happened in the past.

From another answer, @AndySplunks said "I have saved searches (and correlations) looking for any activity in _audit for object='can_delete' and for any search activity that includes '| delete'"

That is probably a better way to go.

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2017 11:56 AM

How about this

| rest services/authorization/roles | where isnotnull(mvfind(match(capabilities,"delete_by_keyword")))
0 Karma
Reply

naqviah
Explorer
‎02-23-2017 12:11 PM

This returns the following error:

Error in 'where' command: The arguments to the 'mvfind' function are invalid.

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2017 12:23 PM

Opps, wrong function and a type. Try this

| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword")))
0 Karma
Reply

naqviah
Explorer
‎02-23-2017 12:36 PM

The results doesn't tell me which users have the "delete_by_keyword" capability. It just shows me which role has the capability in it.

0 Karma
Reply

somesoni2
Revered Legend
‎02-23-2017 12:51 PM

Try this. This will give you list of users which have roles with delete capabilities.

| rest /services/authentication/users | table title roles | mvexpand roles 
| where [| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword"))) | table title | rename title as roles]
0 Karma
Reply

naqviah
Explorer
‎02-24-2017 04:43 AM

Thanks @somesoni2, but its generating 0 events, which i know is not true because there are number of users with delete_by_ capabilities.

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎02-23-2017 11:50 AM

A place to start might be to make a request on the /users endpoint to look for users with this capability:

http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccess#authentication.2Fusers

There are a couple of additional suggestions/examples (including using an input to monitor a conf file for capability changes) in this related older thread that might help:
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...