How to retrieve list of users with access to the Splunk tool and then access logs related to who is logging in and out of the Splunk tool. Also, logs related to functions being performed on the Splunk tool.
Is there any search query to retrieve those details since its required by auditors for verification purpose.
Exact Question is:
Need the list of users with access to the Splunk tool and then access logs related to who is coming in and out of the tool. Also, logs related to functions being performed on the Splunk tool.
Also, can you point the specific page number where you feel the policy and process requirements are covered for this control? It may be that policy needs to move to 75% if you don't specifically speak to protecting access to audit tools. The process can stay at 100% since it would likely just follow you audit and access control standards
have you seen the "Data Governance" ( https://splunkbase.splunk.com/app/1866/ ) and "Search Activity" ( https://splunkbase.splunk.com/app/2632/ ) Apps?
There are some panels that describe user search activities.
Anyway in _audit index there are all the information about user activities on Splunk.
Try something like this
(index=_audit sourcetype=audittrail login) OR ( index=_internal sourcetype=splunk_web_service logout) action!=search | eval type=if(sourcetype="audittrail","Login","Logout") | table _time user type