We’d like to monitor role modifications of our Splunk accounts. The goal is to know who modified what role and which user. Unfortunately, we were not able to find a good query to do that.
index=_audit action=edit_roles OR action=edit_roles_grantable
| rest services/authorization/roles
In addition, it looks like both index-based requests returns a lot of system events that pollutes the results.
Do you have an idea how the supervision could be set up properly?
Thanks for the help.
We've contacted Splunk support: today there is no such option to have all the information we'd like to. Feature request was set up.
View solution in original post