We’d like to monitor role modifications of our Splunk accounts. The goal is to know who modified what role and which user. Unfortunately, we were not able to find a good query to do that.
index=_audit action=edit_userhas no information about type of change and role changed
index=_audit action=edit_roles OR action=edit_roles_grantablehas no information of user whose role has been changed
| rest services/authorization/rolescould be used for this purpose
In addition, it looks like both index-based requests returns a lot of system events that pollutes the results.
Do you have an idea how the supervision could be set up properly?
Thanks for the help.