How to create an alert for any changes to the role of existing Users
Generally, for companies with small or mid-size Splunk deployment, where the number of Splunkers is not very high, the requirement of having alert for user role changes doesn’t seem feasible but for larger deployments, it somehow becomes necessary to keep an eye on the roles of the Users.
The below query fetches the list of Users, their roles and real names and stores them in a CSV file –
|rest /services/authentication/users splunk_server=local | fields title roles realname | rename title as User_Name,realname as Name, roles as Prev_roles | outputlookup <lookup_filename>
an example screenshot is below for your reference,
Now, create a scheduled report for this query so that the CSV file has some update frequency. (we are scheduling this report to run once every week, at 10:00 am on Monday).
Now use the query shown below to set an alert whenever there is any change in the user roles. (We on purpose have changed the role of the User Abhay ) as depicted by the picture below.
NOTE: Schedule this alert as per the interest of your requirement.
|rest /services/authentication/users splunk_server=local |fields title roles realname|rename title as User_Name,realname as Name | lookup <lookup_filename> User_Name | where roles!=Prev_roles
That’s it!!
Thanks for going through our post…
Happy Splunking!!
