Hi at all,
I need to create some Correlation Searches on Splunk audit events, but I didn't find any documentation about the events to search, e.g. I don't know how to identify creation of a new role or updates to an existing one, I found only action=edit_roles, but I can only know the associted user and not the changed role.
Can anyone idicate an url to find Splunk audit information?
Ciao.
Giuseppe
Hi,
maybe the _configtracker index can help. It would have old and new values for all configuration changes including changes made to user roles.
BR!
Gunnar
Hi @Gunnar,
thank you for your hint, in the _configtracker index there isn't any information about the user who did a change, and anyway isn't so well documented: I should search to understand events by myself, I'm searching for a documentation.
Thank you again.
Ciao.
Giuseppe