Solved: How to track if assigned role has been changed for...

vin02 · ‎07-26-2018

Suppose one user "ABC" has tagged user role after some time someone his role has been changed as power or something else.
How to write query to track these role changes?

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

View solution in original post

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

PowerPacked · ‎07-26-2018

Hi @vin02

Splunk only writes about changes made to user & its roles,
But it dont write what changes were made.

index=_audit "action=edit_user" user=yourusername

Thanks

How to track if assigned role has been changed for any user?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How to track if assigned role has been changed for any user?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console