We use custom-built roles for different groups who use Splunk. Typically the users in their role are restricted to certain indexes, and further restricted to what hosts they can see by using tags (hosts are tagged by the tags associated with the roles that are allowed to see them). Our Palo Alto logs are in their own pan_index and only certain people in our IT Security group are allowed access to that index with their role. However, it seems that this does not extend into the Palo Alto Networks app for Splunk. It seems that anyone that can login can open the app and see things in the Incident Investigation Feed (_time, log_subtype, threat_name, severity, action, app, client_ip).
I'm wondering why that is so? Is there a way to restrict who can use the app?
without having the app installed i cant say for certain why its happening but you should be able to disable the use of the app by role.
Manage App > Permissions > uncheck read/write for role
I would check the configuration file precedence of the authorize.conf files for the roles in question of a user.
Another option would also be to validate the local.meta for the app.
Yes. As a result of changing the permissions it now reads:
access = read : [ admin, can_delete, splunk-system-role, user_itsecurity ], write : [ admin, can_delete, splunk-system-role, user_itsecurity ]
By default, it was globally shared with everyone.
without having the app installed i cant say for certain why its happening but you should be able to disable the use of the app by role.
Manage App > Permissions > uncheck read/write for role
Yes, sir, that did the trick. Thanks.