Is there a way to audit when an alert is changed or disabled?

Path Finder

Hi all,

I have been checking in index=_audit and I can't seem to find any sort of audit messaging about when an alerts gets disabled by a user or if the alert itself is changed. Does anyone know if this information can be found in Splunk?



Yes with REST. Use lookup to record the states.

|REST /services/saved/searches | fields title search disabled |lookup status.csv title AS title OUTPUT title AS lastTitle, search AS lastsearch, disabled AS lastdisabled | where search != lastsearch AND disabled !=lastdisabled disabled ==1 |outputlookup status.csv

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...