Skip to main content

 

Splunk Lantern

Change data

 

Change data refers to any recorded information about modifications made to configurations, policies, rules, or system settings. This data typically includes details about what was changed, when the change occurred, who initiated the change, and the impact of the change. Change data is critical for tracking, auditing, troubleshooting, and maintaining compliance in IT environments, especially in systems focused on security and infrastructure management.

Change data ensures accountability and helps organizations maintain the integrity and security of their systems while adhering to established governance and compliance frameworks. It ensures traceability and accountability for changes to meet regulatory requirements (for example, GDPR, HIPAA, and PCI DSS). It also helps identify the root cause of issues by reviewing recent changes.

Key components of change data include:

  • What was changed: Detailed description of the modification (for example, policy, configuration, rule)
  • Who made the change: The user or administrator responsible for initiating the change
  • When the change occurred: Timestamps indicating when the change was made
  • Reason for the change: Optional but often logged for auditing purposes
  • Impact of the change: Affected systems, users, or processes
  • Approval information: Record of change approvals (if part of a formal change management process)

Change data typically includes events on:

The Splunk Common Information Model (CIM) add-on contains a Change data model with fields and tags that describe create, read, update, and delete activities from any data source. This model is for administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems. 

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: