Linux User Account Activity Remove User from Group (via Splunk): audit (USER_ACCT)

info Nessus Network Monitor Plugin ID 710030

Synopsis

SIEM Pull Service has detected via Splunk query that, on this Linux system, a user was removed from a group.

Description

SIEM Pull Service has detected via Splunk query that, on this Linux system, a user was removed from a group. The query used was (sourcetype=linux_audit OR sourcetype=linux_secure) AND ("op=user * removed by * from group" OR op=delete-user-from-group)

Solution

N/A

Plugin Details

Severity: Info

ID: 710030

Family: Policy

Published: 8/20/2004

Updated: 5/18/2018

Detections

Analytics