Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- How to audit capability assignment?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to audit capability assignment?
Hi,
I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.
Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.
thx
afx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role.
Not sure if you were able to create this alert. I was not able to find any useful info online.
I will really appreciate if you can share some insight.
Thanks
JS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.
cheers
afx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is probably the basis for that:
index=_audit source=audittrail operation=edit action=edit_roles
there are many answers in this portal answering the exact same question
using _audit
https://answers.splunk.com/answers/552114/how-can-i-audit-changes-made-to-splunk-role-index.html
https://answers.splunk.com/answers/676586/how-to-track-if-assigned-role-has-been-changed-for.html
using | rest
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
https://answers.splunk.com/answers/186454/how-to-monitor-role-changes.html
hope it helps
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
