Audit:[timestamp=10-29-2017 15:55:70.674, user=bob@bob.com, action=edit_user, info=granted object="jerry@jerry.com" operation=edit][n/a]
Is there anyway to actually see the edits that Bob made to Jerry's user account. Specifically what roles were added or removed.
Tried to use,
| rest /services/authentication/current-context splunk_server=local
but that only provides the roles that my current account has. Any help would be appreciated/
Seems odd to me, too, that that the event in the audit index do not describe the nature of the role change.
You need to run with higher privilege. for REST.