Configure users and roles
The Splunk App for Enterprise Security utilizes the Access Control system of Splunk Enterprise. Splunk Enterprise authentication allows you to add users, assign users to roles, and assign those roles custom capabilities as needed for your organization.
Splunk Enterprise supports three methods of user authentication:
- Splunk Enterprise's built-in user authentication system.
- User authentication using LDAP and Active Directory. See "Set up user authentication with LDAP" for more information.
- Scripted authentication API: Use scripted authentication to tie Splunk's authentication into an external authentication system, such as RADIUS or PAM. See "Set up user authentication with external systems" for more information.
Important: The Splunk Enterprise built-in authentication takes precedence over any configured external authentication.
The Splunk App for Enterprise Security adds three required roles, pre-configured with capabilities. These roles were created to assist in assigning users specific access to functions in the Enterprise Security app. Based upon the information presented below, the admin must assign groups of users to roles that best fit the tasks they will perform and manage within the Enterprise Security app.
|Role||Inherits from role||Added capabilities||Accepts user assignment|
|ess_user||user||real time search||Yes.
Replaces the user role for ES users.
|ess_analyst||user, ess_user, power||ess_user plus: edit notable events and perform all transitions||Yes.
Replaces the power role for ES users.
|ess_admin||user, ess_user, power, ess_analyst||ess_analyst plus: edit correlation searches and edit review statuses||No
Use admin role.
|admin||user, ess_user, power, ess_analyst, ess_admin||All||Yes.|
Important: The ess_admin role is assigned all ES specific capabilities, but does not inherit Splunk Enterprise admin capabilities. You must use the admin role to administer an Enterprise Security installation. To change the capabilities of the ess_user or ess_analyst roles, see Custom capabilities in this topic.
Configure user roles
There are three categories of users:
- Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
- Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
- Solution Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.
Each user type requires different levels of access to perform their assigned functions. The table below shows the user category matched to an Enterprise Security role.
|Role||Security Director||Security Analyst||Solution Administrator|
All role inheritance is pre-configured in the Enterprise Security app. If the capabilities of any role are changed, other roles will also change due to inheritance. The best method to assess the pre-configured roles, capabilities, and inheritance in the Enterprise Security app is to review the
authorize.conf file in
The Enterprise Security app implements new features on Splunk Enterprise. To control access to those features, additional capabilities have been created and assigned to the Enterprise Security specific roles.
The table below displays all ES specific capabilities. To customize a role and add access to Enterprise Security features, add the capabilities needed, and modify the app metadata files to add the role name.
|ES Feature||Capabilities required||Additional metadata changes|
|Advanced Filter or
|New notable event||edit_tcp
|Own notable event||can_own_notable_events||No|
|Edit notable events||edit_notable_events
transition_reviewstatus-X to Y
|Log review settings||edit_log_review_settings||No|
Adjust the concurrent searches for a role
Splunk Enterprise only allows three (3) searches to be run concurrently for
power roles by default. When Enterprise Security is installed, it increases these values to ten (10) by default, since dashboards can execute more than three searches.
To further increase the number of concurrent searches for a role:
- Click Apps > Manage Apps.
- Click Setup next to Enterprise Security.
- Change the number of concurrent searches for the role and save.
To manually change the default search quota by editing the
- Edit the file at
srchJobsQuotafor each role.
See the following example:
[role_user] srchJobsQuota = 15 [role_power] srchJobsQuota = 15
Configure the roles to search multiple indexes
Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Multiple indexes are used to control access to data, and to accommodate varying retention policies in data sources.
By default, all roles are configured to search in the
main index as the default. To enable the searching of multiple indexes using the Enterprise Security app, you must assign the indexes that contain relevant security data to all roles that will search the data.
If you fail to change the permissions, the summary indexes and lookups will not have the correct data, which in turn means that dashboards and notable events will not contain the correct data. After you make the change, new notable events and dashboard summaries will use the correct data from now on. However, notable events and dashboard summaries created prior to the change will not be updated.
Important: When adding indexes to the default search indexes do not include any summary indexes, as this can cause a search and summary index loop.
Configure data protection
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2