Monitoring Splunk

Splunk Audit

itsmevic
Communicator

Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings menu, something to that a normal end-user role might see. Looking for some SPL that would detect if changes were made to my account, when those changes were made, what changes were made, and who made those changes. Any help with this is appreciated.

Tags (2)
0 Karma

zacharychristen
Path Finder

You can search the _audit index for user changes.

index=_audit sourcetype=audittrail action=edit_user

Then you can specify a user that you are looking for or the "object" that was changed.

example output:

Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=granted object="james" operation=edit][n/a]
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=succeeded object="james" password_changed=false realname="james johnson" email="[email protected]" roles="admin+power+user" password_state="" unlock_user=1 , default_app="launcher", ji=""][n/a]
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...