personal-projects/leo-claude-mktplace
Template
0
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
leo-claude-mktplace/plugins/cmdb-assistant/skills/change-audit.md
lmiranda 747a2b15e5 refactor(cmdb-assistant): extract skills and slim commands 
- Extract 9 skill files from command knowledge:
  - mcp-tools-reference.md: Complete NetBox MCP tools reference
  - system-discovery.md: Bash commands for system info gathering
  - device-registration.md: Device registration workflow
  - sync-workflow.md: Machine sync process
  - audit-workflow.md: Data quality audit checks
  - ip-management.md: IP/prefix management and conflict detection
  - topology-generation.md: Mermaid diagram generation
  - change-audit.md: NetBox change audit workflow
  - visual-header.md: Standard visual header pattern

- Slim all 11 commands to under 60 lines:
  - cmdb-sync.md: 348 -> 57 lines
  - cmdb-register.md: 334 -> 51 lines
  - ip-conflicts.md: 238 -> 58 lines
  - cmdb-audit.md: 207 -> 58 lines
  - cmdb-topology.md: 194 -> 54 lines
  - initial-setup.md: 176 -> 74 lines
  - change-audit.md: 175 -> 57 lines
  - cmdb-site.md: 68 -> 50 lines
  - cmdb-ip.md: 65 -> 52 lines
  - cmdb-device.md: 64 -> 55 lines
  - cmdb-search.md: 46 lines (unchanged)

- Update agent to reference skills for best practices
- Preserve existing netbox-patterns skill

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 17:21:21 -05:00

3.5 KiB
Raw Permalink Blame History

Change Audit Skill

Audit NetBox changes for tracking and compliance.

Prerequisites

Load skill: mcp-tools-reference

MCP Tools

Tool Purpose Parameters
extras_list_object_changes List changes user_id, changed_object_type, action
extras_get_object_change Get change details id

Common Object Types

Category Object Types
DCIM dcim.device, dcim.interface, dcim.site, dcim.rack, dcim.cable
IPAM ipam.ipaddress, ipam.prefix, ipam.vlan, ipam.vrf
Virtualization virtualization.virtualmachine, virtualization.cluster
Tenancy tenancy.tenant, tenancy.contact

Audit Workflow

  1. Parse user request - Determine filters
  2. Query object changes - extras_list_object_changes
  3. Enrich data - Fetch detailed records if needed
  4. Analyze patterns - Identify bulk operations, unusual activity
  5. Generate report - Structured format

Report Template

## NetBox Change Audit Report

**Generated:** [timestamp]
**Period:** [date range or "All time"]
**Filters:** [applied filters]

### Summary

| Metric | Count |
|--------|-------|
| Total Changes | X |
| Creates | Y |
| Updates | Z |
| Deletes | W |
| Unique Users | N |
| Object Types | M |

### Changes by Action

#### Created Objects (Y)

| Time | User | Object Type | Object | Details |
|------|------|-------------|--------|---------|
| 2024-01-15 14:30 | admin | dcim.device | server-01 | Created device |

#### Updated Objects (Z)

| Time | User | Object Type | Object | Changed Fields |
|------|------|-------------|--------|----------------|
| 2024-01-15 15:00 | john | ipam.ipaddress | 10.0.1.50/24 | status, description |

#### Deleted Objects (W)

| Time | User | Object Type | Object | Details |
|------|------|-------------|--------|---------|
| 2024-01-14 09:00 | admin | dcim.interface | eth2 | Removed from server-01 |

### Changes by User

| User | Creates | Updates | Deletes | Total |
|------|---------|---------|---------|-------|
| admin | 5 | 10 | 2 | 17 |
| john | 3 | 8 | 0 | 11 |

### Changes by Object Type

| Object Type | Creates | Updates | Deletes | Total |
|-------------|---------|---------|---------|-------|
| dcim.device | 2 | 5 | 0 | 7 |
| ipam.ipaddress | 4 | 3 | 1 | 8 |

### Timeline

2024-01-15: ######## 8 changes 2024-01-14: #### 4 changes 2024-01-13: ## 2 changes


### Notable Patterns

- **Bulk operations:** [Many changes in short time]
- **Unusual activity:** [Unexpected deletions, after-hours changes]
- **Missing audit trail:** [Expected changes not logged]

### Recommendations

1. [Security or process recommendations based on findings]

Enriching Change Details

For detailed audit, use extras_get_object_change to see:

  • prechange_data - Object state before change
  • postchange_data - Object state after change
  • request_id - Links related changes in same request

Security Audit Mode

When user asks for "security audit" or "compliance report":

  1. Focus on deletions and permission-sensitive changes
  2. Highlight changes to critical objects (firewalls, VRFs, prefixes)
  3. Flag changes outside business hours
  4. Identify users with high change counts

Filter Examples

Request Filter
Recent changes None (last 24 hours default)
Last 7 days Filter by time field
By user user_id=<id>
Device changes changed_object_type=dcim.device
All deletions action=delete
Reference in New Issue View Git Blame Copy Permalink