I was looking for a way to view WHAT exactly was audited when someone changes a ROLE or USER (capabilities, inherited roles, indexes, etc).

I found a few searches guiding me to what I had already found on internal indexes, but of course, nothing gets as granular as it should.

I am hoping I just am mistaken and am looking in the wrong place so please re-direct me if that is the case.

Example search:

index=_audit sourcetype=audittrail operation=edit NOT user IN (index-manager, admin) NOT action=search
| table _time user object action info operation 
| sort - _time

The above will give me mostly what I want to know. However, a few things I have found and tested extensively.

A. Navigating in the GUI to a built-in role (such as 'admin') and changed nothing (Access Controls > Users > admin). I then do a search and I'll see the following:

object=admin action=edit_user info=granted operation=edit

This is an issue as NOTHING was changed but we see an action of "edit_user". It would be nice if the granularity would show WHAT was changed, such as capabilities, inherited roles, indexes, etc. But Splunk auditing doesn't show that. I think that is a big gap that should be addressed.

B. If you see "action=edit_role", then that DOES mean that a role was changed. However, "action=edit_user" can mean a user was changed OR it was simply accessed in the GUI.

C. To add even more confusion, when you change a role, you can also see an audit log that shows the same object (such as 'example-role') with "action=edit_user". Meanwhile there is NO SUCH USER as 'example-role'.

I don't think this may ever get cleared up, but should as if something does happen that requires legal action, there is some reasonable doubt that can easily creep in.

Please, if anyone knows of a way to see the granularity I am looking for or if it is on the Splunk Roadmap, then please let me know. Any help is GREATLY appreciated.