Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings menu, something to that a normal end-user role might see. Looking for some SPL that would detect if changes were made to my account, when those changes were made, what changes were made, and who made those changes. Any help with this is appreciated.
You can search the _audit index for user changes.
index=_audit sourcetype=audittrail action=edit_user
Then you can specify a user that you are looking for or the "object" that was changed.
example output:
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=granted object="james" operation=edit][n/a]
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=succeeded object="james" password_changed=false realname="james johnson" email="test@test.com" roles="admin+power+user" password_state="" unlock_user=1 , default_app="launcher", ji=""][n/a]