- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
03-18-2020
03:15 AM
Hello,
We’d like to monitor role modifications of our Splunk accounts. The goal is to know who modified what role and which user. Unfortunately, we were not able to find a good query to do that.
index=_audit action=edit_user
has no information about type of change and role changedindex=_audit action=edit_roles OR action=edit_roles_grantable
has no information of user whose role has been changed- And we were not able to figure out if
| rest services/authorization/roles
could be used for this purpose
In addition, it looks like both index-based requests returns a lot of system events that pollutes the results.
Do you have an idea how the supervision could be set up properly?
Thanks for the help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
03-23-2020
09:38 AM
We've contacted Splunk support: today there is no such option to have all the information we'd like to. Feature request was set up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodentree
Communicator
03-23-2020
09:38 AM
We've contacted Splunk support: today there is no such option to have all the information we'd like to. Feature request was set up.
