Use audit events to detect threats and secure data in the Splunk platform
To monitor a Splunk platform instance, first review the Audit Trail dashboards. Then, you can investigate specific events through searching the audit log.
Review user activities and object changes in the Audit Trail app
To access the Audit Trail dashboards, take these steps:
- In the Splunk Web, from the Apps Panel, select Audit Trail to open the app.
- In the Apps bar, select the Users tab or the Object Modifications tab depending on the activities you want to analyze.
The Audit Trail dashboards display search results showing the following activities:
- Users. Here, you can view user activities, like logins, failed logins, searches, and admin actions.
- Object Modifications. Here, you can view creations, updates, and deletions of knowledge objects, like saved searches, dashboards, reports, lookups, and field extractions.
To customize the dashboards, filter the search results by actions, context of the action, and time range.