Query to detect over N number configuration changes on a certain host within specific duration.
Any help is greatly appreciated!
_audit
index has file system changes info.
You can start with something like below and refine the search query accordingly to your requirement.
index=_audit action IN ("add","update","delete")