Splunk Audit

itsmevic — Fri, 05 Jun 2020 23:24:45 GMT

Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings menu, something to that a normal end-user role might see. Looking for some SPL that would detect if changes were made to my account, when those changes were made, what changes were made, and who made those changes. Any help with this is appreciated.

Re: Splunk Audit

zacharychristen — Wed, 01 Apr 2020 05:25:58 GMT

You can search the _audit index for user changes.

index=_audit sourcetype=audittrail action=edit_user

Then you can specify a user that you are looking for or the "object" that was changed.

example output:

Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=granted object="james" operation=edit][n/a]
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=succeeded object="james" password_changed=false realname="james johnson" email="test@test.com" roles="admin+power+user" password_state="" unlock_user=1 , default_app="launcher", ji=""][n/a]

topic Splunk Audit in Monitoring Splunk

Splunk Audit

Re: Splunk Audit