Security

How can I audit changes made to Splunk Role Index access?

nthornbury
Explorer

Can someone point me in the right direction to find info concerning auditing Splunk Cloud role changes? Specifically, I need to find out who/when an index access change occurred for a role in our Splunk Cloud deployment. I have tried searching the audit index, yet I don't get any info that says: `this user account________ on this date__________ modified the index access list for this role________`?

Thank you.

0 Karma
1 Solution

nthornbury
Explorer
0 Karma

nthornbury
Explorer

Peter,

I developed a report that runs each week, and sends me the reults fo the following search string:

index=_audit source=audittrail operation=edit action!=search action=edit_roles

You could modify this search with other parameters that suit your particular needs or frequency. The above, will show you all mods made to the admin role. I hope that helps. Thanks!

nthornbury
Explorer

Problem Solved.

0 Karma

randy_moore
Path Finder

@nthornbury - Were you ever able to get this solved?

0 Karma

nthornbury
Explorer

Yes, I am good to go on this one. Thank you for the follow-up!

0 Karma

peter_krammer
Communicator

Would you be so kind and share how you solved it, so that others can benefit from the info.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...