Splunk Admin Account Activity – Account Modifications

This Splunk query shows when the admin account performed Account Modification / Deletion / Creation actions:

index=_audit user=admin action=edit_user operation=* | table _time user operation object*
Share This:

Leave A Comment?