- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to alert on modifications made to user role an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to alert on modifications made to user role and capability?
Hi,
I am trying to find a way for Splunk to alert on any modifications made to user roles/capabilities that state whether a user has gained access to "delete". I have tried the following REST, but it does not alert when a user gains the delete capability. Any help would be appreciated.
| rest services/authorization/roles | search capabilities=delete_by_keyword
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This REST command does not show history, only the current point in time. So it is not a useful way to see when something happened in the past.
From another answer, @AndySplunks said "I have saved searches (and correlations) looking for any activity in _audit for object='can_delete' and for any search activity that includes '| delete'"
That is probably a better way to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
| rest services/authorization/roles | where isnotnull(mvfind(match(capabilities,"delete_by_keyword")))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This returns the following error:
Error in 'where' command: The arguments to the 'mvfind' function are invalid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Opps, wrong function and a type. Try this
| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword")))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The results doesn't tell me which users have the "delete_by_keyword" capability. It just shows me which role has the capability in it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this. This will give you list of users which have roles with delete capabilities.
| rest /services/authentication/users | table title roles | mvexpand roles
| where [| rest /services/authorization/roles | where isnotnull(mvfilter(match(capabilities,"delete_by_keyword"))) | table title | rename title as roles]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @somesoni2, but its generating 0 events, which i know is not true because there are number of users with delete_by_ capabilities.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A place to start might be to make a request on the /users endpoint to look for users with this capability:
http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTaccess#authentication.2Fusers
There are a couple of additional suggestions/examples (including using an input to monitor a conf file for capability changes) in this related older thread that might help:
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
