Splunk search for List of linux users who escalated privileges
Copy
sourcetype=linux_secure "su: " OR "sudo: " | eval Date=strftime(_time, "%Y/%m/%d") | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | regex _raw="\suser\sroot\sby" | rex "\suser\sroot\sby\s(?<user>\w+)" | stats count by user, host
This search will provide a list of users who escalated to root privileges within a linux system. This search list out the user that attempted to escalate privileges and the host they were acting on.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment