The following Splunk query will show a table of all users and their roles: | rest /services/authentication/users | stats values(roles) as Roles by user *Admin Notes* I’ve found the following query to work better in my environment: | rest /services/authentication/users | stats values(roles) as Roles by title
Splunk Admin Account Activity – Role Modifications
This Splunk query shows when the admin account performed Create or Modify Roles actions: index=”_audit” action=edit_roles operation=* | table _time user operation object*
Splunk Admin Account Activity – Account Modifications
This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions: index=_audit user=admin action=edit_user operation=* | table _time user operation object*
Index Modifications
This Splunk query should show which users attempted to modify an index and if that action was successful: index=_audit user=* action=indexes_edit | stats count by index info user action
Dashboard and App views by user
This Splunk query / search shows historical access to dashboards and apps on a local splunk server. index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path “.*/(?<title>[^/]*)$” | join title [| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 isVisible=1 | rename eai:acl.app as app | fields title app ] | rename title as dashboard | stats count by […]
Get Sourcetype and Index Info via TSTATS
Use the following simple tstats query to return the latest time events came in for a given index as well as list all sourcetypes for each index: |tstats values(sourcetype) as Sourcetype latest(_time) as Time groupby index | convert ctime(Time)
Time Offset on Splunk Servers
This Splunk Query shows if there is a time offset on your Splunk servers. I borrowed and modified this one from the splunk clock skew search posted on www.bbosearch.com (another pretty awesome site like this one!). My version strips the unnecessary and renames some fields, but feel free to do what you want with it: […]
Events Sent to Null Que – Internal Logs
This will show events that have been sent to the null que within the splunk internal logs. index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd | table _time log_level name processor cpu_seconds executes, cumulative_hits
Potential Suspicious Activity in Windows
The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based […]
Monitor for Service Changes in Windows
The following splunk search looks for changes in services within Windows. sourcetype=”WinEventLog:System” EventCode=7045 NOT (Service_Name=mgmt_service) | eval Message=split(Message,”.”) | eval Short_Message=mvindex(Message,0) | table _time host Service_Name, Service_Type, Service_Start_Type, Service_Account, Short_Message
Monitor File Shares being Accessed in Windows
This splunk search will show file shares being accessed within windows environments. sourcetype=”WinEventLog:Security” EventCode=5140 (Share_Name=”*\\C$” OR Share_Name=”*D$” OR Share_Name=”*E$” OR Share_Name=”*F$” OR Share_Name=”*U$”) NOT Source_Address=”::1″ | eval Destination_Sys1=trim(host,”1″) | eval Destination_Sys2=trim(host,”2″) | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats […]
