- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: How to monitor role changes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to monitor role changes?
I would like to monitor changes made to roles. Most specifically I want to create an alert when the can_delete role is added as an inheritance to a role or assigned to a user. However, I am struggling with finding what logs show when and what changes were made to role. I have reviewed the _audit and _internal logs and can see when a role is accessed, but not the change made. Are those changes logged and where?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two ways I think you could do this:
Setup a monitor input for your authorize.conf file, so that when changes are made to the file you re-index the entire file. Then you can use a search against that data to see if any capabilities or inheritance settings have been changed.
OR
Setup a scheduled search to index (ie, summarize) the authorization rest endpoint and search for the can_delete capability.
| rest services/authorization/roles | search capabilities=delete_by_keyword
To discover which users have the capability, setup a scheduled to search to index the user REST endpoint and search for the capability.
| rest services/authorization/roles | search capabilities=delete_by_keyword
I think the REST queries are a better option, because they'll give you the consolidated configuration and are nicely split into rows and columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amendment: this is the search i used for a distributed environment.
| rest splunk_server=* /services/authorization/roles | search capabilities=delete_by_keyword OR imported_capabilities=delete* title!=can_delete title!=system title!=splunk-system-role
| table title,splunk_server | rename title as Role
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bit of a blind spot here if you use SAML authentication. If a role is directly mapped to a SAML group, I can't find an endpoint in REST which shows this. If you hit /services/authentication/users, you will see the mapping there, but only if a user has logged in since the capability was granted. So it seems the only way to get visibility into SAML mappings is btool authentication list | grep can_delete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this worked perfectly, and it has opened up other Auditing use cases for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role.
Not sure if you were able to create this alert. I was not able to find any useful info online.
I will really appreciate if you can share some insight.
Thanks
JS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bump. I'm also struggling with this. I've tried to increase the verbosity of the AuditLogger to DEBUG, but still no joy. Any ideas on this?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
