Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitor Role Changes in _Audit Trail

lathwal
Engager
‎11-06-2017 10:32 AM

Audit:[timestamp=10-29-2017 15:55:70.674, user=bob@bob.com, action=edit_user, info=granted object="jerry@jerry.com" operation=edit][n/a]

Is there anyway to actually see the edits that Bob made to Jerry's user account. Specifically what roles were added or removed.

Tried to use,

| rest /services/authentication/current-context splunk_server=local

but that only provides the roles that my current account has. Any help would be appreciated/

Reply

dstaulcu
Builder
‎10-17-2019 04:41 PM

Seems odd to me, too, that that the event in the audit index do not describe the nature of the role change.

0 Karma
Reply

valiquet
Contributor
‎04-23-2019 11:29 PM

You need to run with higher privilege. for REST.

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...