Splunk search for Hosts where root user activity was identified

Copy
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | rex "\suser\s(?<User>[^\s]+)\s" | search User="root" | stats count as "Root Activity Count" by hostname
This search will provide a list of linux hosts where some activity was detected by the root user. The search will provide a count of the activity separated out by the host on which it was performed.
0 comments

Category:

Linux


Tags:

linux privileged access root

Search Commands:

Sign in or Register to submit a comment