Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure users and roles

uses the access control system integrated with the Splunk platform. The Splunk platform authorization allows you to add users, assign users to roles, and assign those roles custom capabilities to provide granular, role-based access control for your organization.

Splunk Enterprise Security relies on the admin user to run saved searches. If you plan to delete the admin user, update knowledge objects owned by that user before you do.

There are scenarios where it is still possible for an authenticated user to interact with certain core resources outside the control of the ES app, which can result in a lack of auditability. Make sure that all users with access to the ES app are trusted users that should have access to your ES related data, such as notable events and investigations.

Configuring user roles

adds three roles to the default roles provided by Splunk platform. The new roles allow a Splunk administrator to assign access to specific functions in ES based on a user's access requirements. The Splunk platform administrator can assign groups of users to the roles that best fit the tasks the users will perform and manage in . There are three categories of users.

User Description Splunk ES role
Security Director Seeks to understand the current security posture of the organization by reviewing primarily the Security Posture, Protection Centers, and Audit dashboards. A security director does not configure the product or manage incidents. ess_user
Security Analyst Uses the Security Posture and Incident Review dashboards to manage and investigate security incidents. Security Analysts are also responsible for reviewing the Protection Centers and providing direction on what constitutes a security incident. They also define the thresholds used by correlation searches and dashboards. A Security Analyst must be able to edit notable events. ess_analyst
Solution Administrator Installs and maintains Splunk platform installations and Splunk Apps. This user is responsible for configuring workflows, adding new data sources, and tuning and troubleshooting the application. admin or sc_admin

Each custom role inherits from Splunk platform roles and adds capabilities specific to Splunk ES. Not all of the three roles custom to Splunk ES can be assigned to users.

Splunk ES role Inherits from Splunk platform role Added Splunk ES capabilities Can be assigned to users
ess_user user Real-time search, list search head clustering, edit Splunk eventtypes in the Threat Intelligence supporting add-on, manage notable event suppressions. Yes. Replaces the user role for ES users.
ess_analyst user, ess_user, power Inherits ess_user and adds the capabilities to create, edit, and own notable events and perform all transitions, and create and modify investigations. Yes. Replaces the power role for ES users.
ess_admin user, ess_user, power, ess_analyst Inherits ess_analyst and adds several other capabilities. No. You must use a Splunk platform admin role to administer an Enterprise Security installation.

The ess_admin is a container of capabilities provided by Enterprise Security to the system administrator role, which allows you to install and configure Enterprise Security. The ess_admin role must not be assigned to users because though the role provides custom capabilities, the user does not have access to access control lists (ACLs).

See the capabilities specific to for more details about which capabilities are assigned to which roles by default.

The Splunk platform admin role inherits all unique ES capabilities. In a Splunk Cloud Platform deployment, the Splunk platform admin role is named sc_admin. Use the admin or sc_admin role to administer an Enterprise Security installation.

Splunk platform role Inherits from role Added capabilities Accepts user assignment
admin user, ess_user, power, ess_analyst, ess_admin All Yes.
sc_admin user, ess_user, power, ess_analyst, ess_admin All Yes.

ES expects that a user with the name and role of admin exists. If ES is installed on an on-premises Splunk Enterprise instance where the admin user's name is changed during the initial installation, then the scheduled searches included with ES are orphaned, disabled, and an error message prompts you to reassign them.

Role inheritance

All role inheritance is preconfigured in Enterprise Security. If the capabilities of any role are changed, other inheriting roles will receive the changes. For more information about roles, see the Splunk platform documentation.

Add capabilities to a role

Capabilities control the level of access that roles have to various features in Splunk Enterprise Security. Use the Permissions page in Enterprise Security to review and change the capabilities assigned to a role.

  1. On the menu bar, select Configure > General > Permissions.
  2. Find the role you want to update.
  3. Find the ES Component you want to add.
  4. Select the check box for the component for the role.
  5. Save.

Capabilities specific to

uses custom capabilities to control access to -specific features. However, if you see list_inputs, this is a base capability that should not be removed.

Add custom roles in Splunk Enterprise Security

Add custom roles to the permissions page in Splunk Enterprise Security so that you can update access control lists (ACLs) for those custom roles.

If you add capabilities to custom roles or existing roles on the Splunk Platform Settings page, you must update the ACLs.

Follow these steps to add custom roles on the permissions page in Splunk Enterprise Security:

  1. Navigate to Settings > Data > Data inputs > App Permissions Manager > enforce_es_permissions.
  2. In the Managed Roles field, add the new custom roles as a comma separated list.
  3. Click Save.

The custom roles that you add are populated in the Permissions Manager page of Splunk Enterprise Security within 60 seconds so that you can enable specific ACLs. If you only add role-based capabilities to the role and don't add the ACLs, the ACLs don't get updated. This applies to both custom roles and existing roles such as ess_analyst. For example: If you add the edit_correlationsearches capability to the existing ess_analyst role, an error message is displayed when a user with the ess_analyst role attempts to save edits to a correlation search because correlation searches do not have the ess_analyst role included in their "write" ACLs.

Capabilities are defined in the authorize.conf configuration file for Enterprise Security.

Function in ES Description Capability ess_user ess_analyst ess_admin
Configure filters for users and analysts Allows Splunk Enterprise Security administrators to configure access to saved filters for users and analysts. edit_filter_sets X X
Access data from Splunk UBA Access data from Splunk Enterprise to Splunk UBA. edit_uba_settings X
Adaptive Response Relay and associated KVStore collection Write the Common Action Model (CAM) queue. See Set up an Adaptive Response Relay in Splunk Enterprise Security. edit_cam_queue X
Configuration checks Allows you to run configuration checks. edit_modinput_configuration_check X
Create new notable events and edit existing notable events Create ad-hoc notable events from search results. See Manually create a notable event in Splunk Enterprise Security.
Make changes to notable events, such as assigning them and transition them between statuses. Statuses for Splunk ES investigations are stored in the reviewstatuses.conf file. See Triage notable events on Incident Review in Splunk Enterprise Security.
edit_notable_events X X
Credential Manager Manage credentials and certificates for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. See Manage credentials in Splunk Enterprise Security. admin_all_objects
Data migrations Allows you to perform one-time data migrations. edit_modinput_data_migrator X
Edit the Data Model Acceleration (DMA) modular input

Identify who can edit the Data Model Acceleration modular input. DMA is turned on for the required data models using a modular input by default.

edit_modinput_dm_accel_settings X
Edit specific modinputs Make changes to edit the modular name by using the "whois" feature. edit_modinput_whois X
Edit advanced search schedule settings Edit the schedule priority and schedule window of correlation searches on Content Management. edit_search_schedule_priority
Edit correlation searches Edit correlation searches on Content Management. See Configure correlation searches in Splunk Enterprise Security. Users with this capability can also export content from Content Management as an app. See Export content as an app from Splunk Enterprise Security. edit_correlationsearches
Edit Distributed Configuration Management Use distributed configuration management. See Deploy add-ons included with Splunk Enterprise Security. edit_modinput_es_deployment_manager X
Edit ES navigation Make changes to the Enterprise Security navigation. See Customize the menu bar in Splunk Enterprise Security. edit_es_navigation X
Edit identity lookup configuration Manage Asset and Identity lookup configurations. See Add asset and identity data to Splunk Enterprise Security, Enable asset and identity correlation in Splunk Enterprise Security, and Manage assets and identities in Splunk Enterprise Security. edit_modinput_identity_manager X
Edit Incident Review Make changes to Incident Review settings. See Customize Incident Review in Splunk Enterprise Security. edit_log_review_settings X
Edit lookups Create and make changes to lookup table files. See Create and manage lookups in Splunk Enterprise Security. edit_lookups, edit_managed_configurations X
Edit statuses Make changes to the statuses available to select for investigations and notable events. See Manage notable event statuses. edit_reviewstatuses X
Edit notable event suppressions Edit Splunk eventtypes in the Threat Intelligence supporting add-on, and create and edit notable event suppressions. See Create and manage notable event suppressions.

The ess_user and ess_analyst roles don't have the default ability to edit suppressions through Splunk Web. However, they have the ability to perform read and write operations on eventtypes, so they can edit suppressions through the event types interface.

edit_suppressions X
Edit per-panel filters Permits the role to update per-panel filters on dashboards. See Configure per-panel filtering in Splunk Enterprise Security. edit_per_panel_filters X
Edit app permissions manager Allows you to edit app permissions manager. Required for essinstall. edit_modinput_app_permissions_manager X
Edit intelligence downloads Change intelligence download settings. See Download a threat intelligence feed from the Internet in Splunk Enterprise Security and Download an intelligence feed from the Internet in Splunk Enterprise Security. edit_modinput_threatlist X
Edit risk factors Change risk factor settings. See Create risk factors. edit_risk_factors X
Edit threat intelligence collections Upload threat intelligence and perform CRUD operations on threat intelligence collections using the REST API. See Upload a custom CSV file of threat intelligence in Splunk Enterprise Security and Threat Intelligence API reference. edit_threat_intel_collections X
Import content Allows you to import content from installed applications. edit_modinput_ess_content_importer X
Migrate correlation searches (Internal) Used by the background script to migrate correlation searches. migrate_correlationsearches X
Manage configurations Make changes to the general settings or the list of editable lookups. See Configure general settings for Splunk Enterprise Security. edit_managed_configurations X
Manage all investigations Allows the role to view and make changes to all investigations. See Manage security investigations in Splunk Enterprise Security. manage_all_investigations X
Manage Sequence Templates Allows the role to make changes to Sequence Templates, Sequence Template REST handlers, and related web pages. See Manage sequence templates in Splunk Enterprise Security. edit_sequence_templates X
Manage analytics stories Allows the role to make changes to analytics stories. See Manage analytics stories in Splunk Enterprise Security edit_analyticstories X X
Manage your investigations Create and edit investigations. Roles with this capability can make changes to investigations on which they are a collaborator. See Investigations in Splunk Enterprise Security. edit_timeline X X
Own notable events Allows the role to be an owner of notable events. See Assign notable events. can_own_notable_events X X
Search-driven lookups Create lookup tables that can be populated by a search. See Create search-driven lookups in Splunk Enterprise Security. edit_managed_configurations
Update app imports Allows you to update app imports with all apps matching a given regular expression. edit_modinput_app_imports_update X

Adjust the concurrent searches for a role

Splunk platform defines a limit on concurrently running searches for the user and power roles by default. You may want to change those concurrent searches for some roles.

  1. On the menu bar, select Configure > General > General Settings.
  2. Review the limits for roles and change them as desired.
Item Description
Search Disk Quota (admin) The maximum disk space (MB) a user with the admin role can use to store search job results.
Search Jobs Quota (admin) The maximum number of concurrent searches for users with the admin role.
Search Jobs Quota (power) The maximum number of concurrent searches for users with the power role.

To change the limits for roles other then admin and power, edit the authorize.conf file to update the default search quota. See the authorize.conf.example in the Splunk Enterprise Admin manual.

Configure the roles to search multiple indexes

The Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. The Splunk platform configures all roles to search only the main index by default. For more information about working with roles, see the Splunk platform documentation.

To allow roles in to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.

  1. Select Settings > Access Controls.
  2. Click Roles.
  3. Click the role name that you want to allow to search additional indexes.
  4. Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
  5. Save your changes.
  6. Repeat for additional roles as needed.

If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.

For more information on the reasons for multiple indexes, see Why have multiple indexes? in Splunk Enterprise Managing Indexers and Clusters of Indexers.

Configure permissions for Machine Learning Toolkit SPL commands

No new capabilities are added to ES for using MLTK. To restrict permissions for MLTK SPL commands, see Change permissions in default.meta.conf in the Splunk Machine Learning Toolkit User Guide.

Last modified on 05 September, 2023
Configure and deploy indexes   Configure data models for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters