Monitoring Splunk

Splunk Audit

itsmevic
Communicator

Hi, last week, I had full administrative access with Splunk but opened Splunk this morning and it appears my role may have changed; I now have what appears to be limited visibility into the Settings menu, something to that a normal end-user role might see. Looking for some SPL that would detect if changes were made to my account, when those changes were made, what changes were made, and who made those changes. Any help with this is appreciated.

Labels (1)
Tags (2)
0 Karma

zacharychristen
Path Finder

You can search the _audit index for user changes.

index=_audit sourcetype=audittrail action=edit_user

Then you can specify a user that you are looking for or the "object" that was changed.

example output:

Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=granted object="james" operation=edit][n/a]
Audit:[timestamp=04-01-2020 05:08:32.013, user=zona, action=edit_user, info=succeeded object="james" password_changed=false realname="james johnson" email="test@test.com" roles="admin+power+user" password_state="" unlock_user=1 , default_app="launcher", ji=""][n/a]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...