Splunk Search for Splunk user modification attempts Copy
index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, "%b %d, %Y") |where user!=object| stats count by user, info, object, Date | rename user as User | rename info as "Status" | rename object as "Target Account" | sort - count
0 comments
Splunk Search for Creations and Modifications to user roles Copy
index="_audit" action=edit_roles operation=* | table _time user operation object*
0 comments
Splunk Search for Splunk account creations, modifications and deletions Copy
index=_audit user=admin action=edit_user operation=* | stats list(_time) as Time, list(operation) as operation, list(object) as object by user | eval Time=strftime(Time,"%m/%d/%Y %H:%M:%S")
0 comments