Solved: Re: How can I audit changes made to Splunk Role In...

nthornbury · ‎07-05-2017

Can someone point me in the right direction to find info concerning auditing Splunk Cloud role changes? Specifically, I need to find out who/when an index access change occurred for a role in our Splunk Cloud deployment. I have tried searching the audit index, yet I don't get any info that says: `this user account________ on this date__________ modified the index access list for this role________`?

Thank you.

nthornbury · ‎06-18-2018

Problem Solved.

View solution in original post

nthornbury · ‎08-13-2018

Peter,

I developed a report that runs each week, and sends me the reults fo the following search string:

index=_audit source=audittrail operation=edit action!=search action=edit_roles

You could modify this search with other parameters that suit your particular needs or frequency. The above, will show you all mods made to the admin role. I hope that helps. Thanks!

nthornbury · ‎06-18-2018

Problem Solved.

randy_moore · ‎06-15-2018

@nthornbury - Were you ever able to get this solved?

nthornbury · ‎06-18-2018

Yes, I am good to go on this one. Thank you for the follow-up!

peter_krammer · ‎08-13-2018

Would you be so kind and share how you solved it, so that others can benefit from the info.

How can I audit changes made to Splunk Role Index access?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...