https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352939#M8855 <P>Seems odd to me, too, that that the event in the audit index do not describe the nature of the role change. </P> Thu, 17 Oct 2019 23:41:37 GMT dstaulcu 2019-10-17T23:41:37Z https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352937#M8853 <P><STRONG>Audit:[timestamp=10-29-2017 15:55:70.674, user=<A href="mailto:bob@bob.com">bob@bob.com</A>, action=edit_user, info=granted object="<A href="mailto:jerry@jerry.com">jerry@jerry.com</A>" operation=edit][n/a]</STRONG></P> <P>Is there anyway to actually see the edits that <STRONG>Bob</STRONG> made to <STRONG>Jerry's</STRONG> user account. Specifically what roles were added or removed.</P> <P>Tried to use,<BR /><BR /> | rest /services/authentication/current-context splunk_server=local</P> <P>but that only provides the roles that my current account has. Any help would be appreciated/</P> Mon, 06 Nov 2017 18:32:34 GMT https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352937#M8853 lathwal 2017-11-06T18:32:34Z https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352938#M8854 <P>You need to run with higher privilege. for REST.</P> Wed, 24 Apr 2019 06:29:24 GMT https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352938#M8854 valiquet 2019-04-24T06:29:24Z https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352939#M8855 <P>Seems odd to me, too, that that the event in the audit index do not describe the nature of the role change. </P> Thu, 17 Oct 2019 23:41:37 GMT https://community.splunk.com/t5/Security/Monitor-Role-Changes-in-Audit-Trail/m-p/352939#M8855 dstaulcu 2019-10-17T23:41:37Z