Solved: Re: How to track if assigned role has been changed...

vin02 · ‎07-26-2018

Suppose one user "ABC" has tagged user role after some time someone his role has been changed as power or something else.
How to write query to track these role changes?

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

View solution in original post

adonio · ‎07-26-2018

Hello there,

you can see the action, who did it and which user was modified like this:

index = _audit sourcetype = audittrail action=edit_user operation=edit info=granted 
| stats values(user) as who_did_it values(object) as user_changed by _time

hope it helps

PowerPacked · ‎07-26-2018

Hi @vin02

Splunk only writes about changes made to user & its roles,
But it dont write what changes were made.

index=_audit "action=edit_user" user=yourusername

Thanks

How to track if assigned role has been changed for any user?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?