user accounts manipulation audit example (#8158)

* user accounts manipulation audit example

Signed-off-by: jazzl0ver <[email protected]>

* user accounts manipulation audit example

Signed-off-by: jazzl0ver <[email protected]>

* user accounts manipulation audit example

Signed-off-by: jazzl0ver <[email protected]>

* Update _security/audit-logs/index.md

Co-authored-by: Craig Perkins <[email protected]>
Signed-off-by: jazzl0ver <[email protected]>

* Update _security/audit-logs/index.md

Signed-off-by: Naarcha-AWS <[email protected]>

---------

Signed-off-by: jazzl0ver <[email protected]>
Signed-off-by: Naarcha-AWS <[email protected]>
Co-authored-by: Craig Perkins <[email protected]>
Co-authored-by: Naarcha-AWS <[email protected]>

_security/audit-logs/index.md

@@ -224,3 +224,36 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000
 
 To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards.
 
+## Audit user account manipulation
+
+To enable audit logging on changes to a security index, such as changes to roles mappings and role creation or deletion, use the following settings in the `compliance:` portion of the audit log configuration, as shown in the following example:
+
+```
+_meta:
+  type: "audit"
+  config_version: 2
+
+config:
+  # enable/disable audit logging
+  enabled: true
+
+  ...
+
+
+  compliance:
+    # enable/disable compliance
+    enabled: true
+
+    # Log updates to internal security changes
+    internal_config: true
+
+    # Log only metadata of the document for write events
+    write_metadata_only: false
+
+    # Log only diffs for document updates
+    write_log_diffs: true
+
+    # List of indices to watch for write events. Wildcard patterns are supported
+    # write_watched_indices: ["twitter", "logs-*"]
+    write_watched_indices: [".opendistro_security"]
+```