SPL
Internal Splunk User Modifications
Description
This query will search the internal audit sourcetype of splunk and report on any user modification attempts, both success and fail.
2 0
index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, "%Y/%m/%d") |where user!=object| stats count by user, info, object, Date | rename user as "Authenticated User" | rename info as "Success Status" | rename object as "Modified Account" | sort - count
Comments
0 total
Be the first to comment on this SPL.
Leave a comment
You must log in to post a comment.