Escalation of Privileges via SU in Linux

The following splunk query example will return a list of users who escalated privileges on any host in a given time range. The query will count by day, if you need to count in a shorter or longer time range modify the “Date=strftime” value below.

*NOTE* if the host field is being autoextracted (for instance if you are using a universal forwarder) you will not need the regex command and can call upon the auto extracted fieldname of “host”

Share This:

Leave A Comment?