Security

Monitor Role Changes in _Audit Trail

lathwal
Engager

Audit:[timestamp=10-29-2017 15:55:70.674, user=bob@bob.com, action=edit_user, info=granted object="jerry@jerry.com" operation=edit][n/a]

Is there anyway to actually see the edits that Bob made to Jerry's user account. Specifically what roles were added or removed.

Tried to use,

| rest /services/authentication/current-context splunk_server=local

but that only provides the roles that my current account has. Any help would be appreciated/

dstaulcu
Builder

Seems odd to me, too, that that the event in the audit index do not describe the nature of the role change.

0 Karma

valiquet
Contributor

You need to run with higher privilege. for REST.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...