Can someone point me in the right direction to find info concerning auditing Splunk Cloud role changes? Specifically, I need to find out who/when an index access change occurred for a role in our Splunk Cloud deployment. I have tried searching the audit index, yet I don't get any info that says: `this user account________ on this date__________ modified the index access list for this role________`?
I developed a report that runs each week, and sends me the reults fo the following search string:
index=audit source=audittrail operation=edit action!=search action=editroles
You could modify this search with other parameters that suit your particular needs or frequency. The above, will show you all mods made to the admin role. I hope that helps. Thanks!