- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to audit capability assignment?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to audit capability assignment?
Hi,
I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.
Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.
thx
afx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role.
Not sure if you were able to create this alert. I was not able to find any useful info online.
I will really appreciate if you can share some insight.
Thanks
JS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.
cheers
afx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is probably the basis for that:
index=_audit source=audittrail operation=edit action=edit_roles
there are many answers in this portal answering the exact same question
using _audit
https://answers.splunk.com/answers/552114/how-can-i-audit-changes-made-to-splunk-role-index.html
https://answers.splunk.com/answers/676586/how-to-track-if-assigned-role-has-been-changed-for.html
using | rest
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
https://answers.splunk.com/answers/186454/how-to-monitor-role-changes.html
hope it helps
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
