Last active
March 12, 2024 10:01
-
-
Save inodee/04569e2c94b783f920c45dd24e03025e to your computer and use it in GitHub Desktop.
Detect and alert on new Splunk indexes created
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=_audit sourcetype=audittrail TERM(create) operation=create action=indexes_edit | |
| | rex field=_raw "object=\"*(?<object>[^\"]+)" | |
| | stats values(user) AS user, min(_time) AS _time by object | |
| | eval reason="There is a new index in town! New index: ".object.". Please evaluate if that needs to be in scope for any existing search or use case (ex.: IOC Scan Framework)." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment