Re: Capture "Splunk Enterprise Security" Changes

sumanssah · ‎09-05-2017

Hello All,

Is there is any way to identify "whats all changes performed on Splunk Enterprise Security" .
Example : Change in Correlation Search , Search Name , Description, drill-down search etc.

Trying to capture all kind of changes done by any user in "Splunk Enterprise Security".

Thanks in advance.

sumanssah · ‎03-01-2020

try this

index=_internal sourcetype=splunkd_ui_access method=post uri="*/saved/searches/*" | rex field=uri "\/saved\/searches\/(?P<title>.*?)(?:\/|$|\?)"| eval title=urldecode(title) |convert ctime(_time) as timestamp|stats count by title,user,timestamp,bytes|sort -timestamp | join title[| rest splunk_server=local /servicesNS/-/-/configs/conf-savedsearches|stats count by title,search,updated,cron_schedule,"eai:acl.perms.write",disabled]

Schedule this search and save it to a different index and compare it for changes with the latest result.

jkat54 · ‎09-05-2017

Everything should be in 'index=_audit' or 'index=_internal source=*search.log'.

If they make a change to a conf file via UI, it will show in _audit. If they send data via email, etc, that would be found in search.log

jkat54 · ‎09-05-2017

Also check out the change analysis datamodel.

Capture "Splunk Enterprise Security" Changes

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?