Capture "Splunk Enterprise Security" Changes

sumanssah · ‎09-05-2017

Hello All,

Is there is any way to identify "whats all changes performed on Splunk Enterprise Security" .
Example : Change in Correlation Search , Search Name , Description, drill-down search etc.

Trying to capture all kind of changes done by any user in "Splunk Enterprise Security".

Thanks in advance.

sumanssah · ‎03-01-2020

try this

index=_internal sourcetype=splunkd_ui_access method=post uri="*/saved/searches/*" | rex field=uri "\/saved\/searches\/(?P<title>.*?)(?:\/|$|\?)"| eval title=urldecode(title) |convert ctime(_time) as timestamp|stats count by title,user,timestamp,bytes|sort -timestamp | join title[| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches|stats count by title,search,updated,cron_schedule,"eai:acl.perms.write",disabled]

Schedule this search and save it to a different index and compare it for changes with the latest result.

jkat54 · ‎09-05-2017

Everything should be in 'index=_audit' or 'index=_internal source=*search.log'.

If they make a change to a conf file via UI, it will show in _audit. If they send data via email, etc, that would be found in search.log

jkat54 · ‎09-05-2017

Also check out the change analysis datamodel.

Capture "Splunk Enterprise Security" Changes

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes