Security
Highlighted

How can I audit changes made to Splunk Role Index access?

Explorer

Can someone point me in the right direction to find info concerning auditing Splunk Cloud role changes? Specifically, I need to find out who/when an index access change occurred for a role in our Splunk Cloud deployment. I have tried searching the audit index, yet I don't get any info that says: `this user account________ on this date__________ modified the index access list for this role________`?

Thank you.

0 Karma
Highlighted

Re: How can I audit changes made to Splunk Role Index access?

Path Finder

@nthornbury - Were you ever able to get this solved?

0 Karma
Highlighted

Re: How can I audit changes made to Splunk Role Index access?

Explorer

Yes, I am good to go on this one. Thank you for the follow-up!

0 Karma
Highlighted

Re: How can I audit changes made to Splunk Role Index access?

Communicator

Would you be so kind and share how you solved it, so that others can benefit from the info.

0 Karma
Highlighted

Re: How can I audit changes made to Splunk Role Index access?

Explorer
0 Karma
Highlighted

Re: How can I audit changes made to Splunk Role Index access?

Explorer

Peter,

I developed a report that runs each week, and sends me the reults fo the following search string:

index=audit source=audittrail operation=edit action!=search action=editroles

You could modify this search with other parameters that suit your particular needs or frequency. The above, will show you all mods made to the admin role. I hope that helps. Thanks!