topic information about Splunk audit events in Splunk Search

information about Splunk audit events

gcusello — Thu, 11 Jan 2024 14:37:04 GMT

Hi at all,

I need to create some Correlation Searches on Splunk audit events, but I didn't find any documentation about the events to search, e.g. I don't know how to identify creation of a new role or updates to an existing one, I found only action=edit_roles, but I can only know the associted user and not the changed role.

Can anyone idicate an url to find Splunk audit information?

Ciao.

Giuseppe

Re: information about Splunk audit events

Gunnar — Thu, 11 Jan 2024 15:14:04 GMT

Hi,

maybe the _configtracker index can help. It would have old and new values for all configuration changes including changes made to user roles.

BR!

Gunnar

Re: information about Splunk audit events

gcusello — Thu, 11 Jan 2024 15:56:56 GMT

Hi @Gunnar,

thank you for your hint, in the _configtracker index there isn't any information about the user who did a change, and anyway isn't so well documented: I should search to understand events by myself, I'm searching for a documentation.

Thank you again.

Ciao.

Giuseppe