Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure users and roles

The Splunk App for Enterprise Security utilizes the Access Control system of Splunk Enterprise. Splunk Enterprise authentication allows you to add users, assign users to roles, and assign those roles custom capabilities as needed for your organization.

Authentication

Splunk Enterprise supports several methods of user authentication:

Important: The Splunk Enterprise built-in user authentication takes precedence over any configured external authentication.

The Splunk App for Enterprise Security adds three required roles, pre-configured with capabilities. These roles were created to assist in assigning users specific access to functions in the Enterprise Security app. Based upon the information presented below, the admin must assign groups of users to roles that best fit the tasks they will perform and manage within the Enterprise Security app.

Role Inherits from role Added capabilities Accepts user assignment
ess_user user real time search Yes.
Replaces the "user" role for ES users.
ess_analyst user, ess_user, power inherits ess_user and adds: edit notable events and perform all transitions Yes.
Replaces the "power" role for ES users.
ess_admin user, ess_user, power, ess_analyst inherits ess_analyst and adds: edit correlation searches and edit review statuses No
Assign users to the "admin" role.
admin user, ess_user, power, ess_analyst, ess_admin All Yes.

Important: The ess_admin role is assigned all ES specific capabilities, but does not inherit Splunk Enterprise admin capabilities. You must use the "admin" role to administer an Enterprise Security installation. To change the capabilities of the ess_user or ess_analyst roles, see "Custom capabilities" in this topic.

Configure user roles

There are three categories of users:

  • Security Director: Reviews the Security Posture, Protection Centers, and Audit dashboards in order to understand current Security Posture of the organization. A security director will not configure the product or manage incidents.
  • Security Analyst: Uses the Security Posture and Incident Review dashboards to manage and investigate Security Incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They will also define the thresholds used by correlation searches and dashboards. A Security Analyst needs to be able to edit correlation searches and create suppressions.
  • Solution Administrator: Installs and maintains Splunk Enterprise and Splunk Apps. This user is responsible for configuring workflows, on-boarding new data sources, and tuning and troubleshooting the application.

Each user type requires different levels of access to perform their assigned functions. The table below shows the user category matched to an Enterprise Security role.

Role Security Director Security Analyst Solution Administrator
ess_user capabilities RoundCheckMark.png
ess_analyst capabilities RoundCheckMark.png
admin capabilities RoundCheckMark.png

Role inheritance

All role inheritance is pre-configured in the Enterprise Security app. If the capabilities of any role are changed, other roles will also inherit the changes. The best method to assess the pre-configured roles, capabilities, and inheritance in the Enterprise Security app is to review the authorize.conf file in $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/default/.

For more information about roles, see the topics "Add and edit roles" and "Securing Splunk" in the Securing Splunk Enterprise Manual.

Custom capabilities

The Enterprise Security app implements new, ES specific features in Splunk Enterprise. To control access to those features, additional capabilities have been created and assigned to the Enterprise Security specific roles.

The table displays all ES specific capabilities. To customize a role and add access to Enterprise Security features, add the capabilities listed and modify the app metadata files to add the role name.

ES Feature Capabilities required Additional metadata changes
Credential Manager admin_all_objects No
Correlation searches edit_correlationsearches

schedule_search

In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:

<app>/metadata/local.meta

[savedsearches]

access = read : [ * ], write : [ admin,role1,role2 ]

Export content edit_correlationsearches No
Log review settings edit_log_review_settings No
Edit Lookups edit_lookups In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:

<app>/metadata/local.meta

[lookups]

access = read : [ * ], write : [ admin,role1,role2 ]

Manage Lookups edit_lookups In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:

<app>/metadata/local.meta

[lookups]

access = read : [ * ], write : [ admin,role1,role2 ]

In app: SplunkEnterpriseSecuritySuite/metadata/local.meta

[collections/es_managed_lookups]

access = read : [ * ], write : [ admin,role1,role2 ]

Navigation edit_es_navigation In app: SplunkEnterpriseSecuritySuite/metadata/local.meta

[nav]

access = read : [ * ], write : [ admin,role1,role2 ]

Edit Notable Events edit_tcp
edit_notable_events
transition_reviewstatus-X to Y
No
New Notable Events edit_tcp
edit_notable_events
No
Own Notable Events can_own_notable_events No
Advanced Filter or

per-panel filtering

edit_per_panel_filters In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:

<app>/metadata/local.meta

[lookups]

access = read : [ * ], write : [ admin,role1,role2 ]

Review Statuses edit_reviewstatuses In apps: DA-, SA-, Splunk_(DA|SA|TA)_* and ES:

<app>/metadata/local.meta

[authorize]

access = read : [ * ], write : [ admin,role1,role2 ]

Suppressions edit_suppressions No
Threat Lists edit_modinput_threatlist No

Adjust the concurrent searches for a role

Splunk Enterprise defines a limit on searches to be run concurrently for user and power roles by default. After Enterprise Security is installed, increase the limits for roles other than admin.

To further increase the number of concurrent searches for a role:

  1. Click Apps > Manage Apps.
  2. Click Setup next to Enterprise Security.
  3. Change the number of concurrent searches for the role and save.

To change the default search quota manually, edit the authorize.conf file:

  • Edit the file at $SPLUNK_HOME/etc/system/local/authorize.conf and set srchJobsQuota for each role.

Example:

   [role_user]
   srchJobsQuota = 15

Configure the roles to search multiple indexes

Data sources being ingested by Splunk Enterprise are stored in multiple indexes. Multiple indexes are used to control access to data and to accommodate varying retention policies in data sources.

By default, all roles are configured to search only in the main index as the default. To enable the searching of multiple indexes, you must manually assign the indexes that contain relevant security data to all ES roles. If the roles are not updated, searches and other knowledge objects that rely on search results will not reflect the data from unassigned indexes.

Note: When adding indexes to a role, default search indexes must not include summary indexes, as this can cause a search and summary index loop.

See "Set up multiple indexes" and "Add users and assign roles" in the Splunk documentation for more information.

PREVIOUS
General settings
  NEXT
Identity Management

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters