topic Re: Splunk Enterprise Security: How to secure part of the _audit index? in Splunk Enterprise Security

Splunk Enterprise Security: How to secure part of the _audit index?

tjago11 — Thu, 20 Jun 2019 12:34:05 GMT

We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different location than the main Search Heads.
The ES SH is used for doing security investigations and we do not want the searches executed readable by the masses.
However, we don't want to lock down everything in _audit.

I'd think the simplest thing to do is have the _audit logs for that one SH sent to a different index??
Is that even possible??
Thanks.

Re: Splunk Enterprise Security: How to secure part of the _audit index?

richgalloway — Thu, 20 Jun 2019 12:47:04 GMT

Searches run by users are also visible in _internal so securing _audit is not enough. Consider not forwarding _internal and _audit to your indexers (keep them local).

Re: Splunk Enterprise Security: How to secure part of the _audit index?

jnudell_2 — Thu, 20 Jun 2019 19:08:20 GMT

Hi @tjago11 ,

As @richgalloway mentioned, securing _audit will not be enough. You would also have to secure _internal.

Even if you follow his recommendation to not forward the internal & _audit logs from the ES search head, the indexers themselves will store a copy of the searches run in _THEIR _internal Splunk logs.

Other than completely locking down _internal & _audit, there is no easy way to do this.

Options to consider might be:
- Search restrictions
- Scripted authentication. Using scripted authentication, you can create a level of granularity with permissions and search restrictions that prevent people from seeing certain types of data (ie: logs from _internal & _audit on the ES host AND the _internal logs on indexers that pertain to searches from ES hosts). This is complicated and not easy to setup, but it is a way to accomplish what you want to do.

Re: Splunk Enterprise Security: How to secure part of the _audit index?

tjago11 — Fri, 21 Jun 2019 13:21:57 GMT

Ahhhh, crap. Totally forgot about the indexer logs that will contain the searches ran there as well, ugh. Okay sounds like I'll need to create some search term restrictions to get a semblance of security around that data.

Do you think it is sufficient to do something like this??
NOT (user=123456 OR user=abcdefg)

I'll know who the security people are so building that restriction will be pretty easy. Heck, if I want to get fancy I can likely resolve the security people by role and gen a lookup table to use as the restriction.

Re: Splunk Enterprise Security: How to secure part of the _audit index?

tjago11 — Fri, 21 Jun 2019 13:28:02 GMT

Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456

Pretty sure this will work, thanks for the help.