Solved: Splunk for Palo Alto Networks: How to limit permis...

ckillg · ‎08-15-2015

I would like to limit certain users' access to URL filtering and config change data coming from the PAN. Is there a way to do that?

I would put the data in separate indexes, but the app documentation says to use pan_logs for everything.

jnussbaum_splun · ‎08-15-2015

Under Access Controls -> Roles , you can restrict search terms and exclude eventtypes such as you're mentioning above with:
index=pan_logs eventtype!=pan_config eventtype!=pan_threat
This will allow the Role to search the pan_logs index, but not events that fall into the eventtype of pan_config and pan_threat. Hope that's what you're looking for.

View solution in original post

jnussbaum_splun · ‎08-15-2015

Under Access Controls -> Roles , you can restrict search terms and exclude eventtypes such as you're mentioning above with:
index=pan_logs eventtype!=pan_config eventtype!=pan_threat
This will allow the Role to search the pan_logs index, but not events that fall into the eventtype of pan_config and pan_threat. Hope that's what you're looking for.

ckillg · ‎08-15-2015

Perfect. Thanks.

Splunk for Palo Alto Networks: How to limit permissions for users by log type?

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)