Hi,
I would like to see roles of created users not roles of user which created account, is there a way to to this?
index=_audit action=edit_user operation=create
| eval timestamp_formated=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| convert timeformat="%d/%b/%Y" ctime(timestamp_formated)
| eval timestamp = strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
| join user
[| rest /services/authentication/users
| fields title roles
| rename title AS user ]
| rename object as created_user, user as created_by
| stats values(roles) as user_roles values(timestamp) as timestamp values(host) as created_on by timestamp_formated created_user created_by
| sort - timestamp
| fields - timestamp
Here is how we audit and figure out who is able to do what and slowly remove those who don't need it.
| rest/services/authentication/users
| dedup id
| rename title AS username roles AS role_direct
| mvexpand role_direct
| eval user=username . " = " . realname
| fields user role_direct
| appendpipe [
| rest/services/authorization/roles
| dedup id
| rename title AS role_direct
| eval role_add = role_direct
| eval combined_roles=mvappend(role_add,imported_roles)
| mvexpand combined_roles
| fields role_direct, combined_roles]
| stats list(*) AS * BY role_direct
| mvexpand combined_roles
| rename combined_roles AS combined_role
| eval formatted_role=if(combined_role = role_direct,combined_role." (direct assignment)",combined_role." (inherited through ".role_direct.")")
| appendpipe [
| rest /services/authorization/roles
| dedup id
| rename title AS combined_role
| fields combined_role capabilities]
| stats list(*) AS * BY combined_role
| mvexpand formatted_role
| mvexpand capabilities
| mvexpand user
| rename capabilities AS capability
| rename formatted_role AS "role (inheritance)"
| table user "role (inheritance)" capability
| search capability="edit_user"
You're joining on the field user
, which is the creating user in your audit logs - the created user is in the field object
.
Change your rename to AS object
inside the join, and join on object
.