- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: What roles or capabilities are needed that Ale...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have users with user and alert_manager role.
They have capabilities:
accelerate_search
change_own_password
edit_tcp
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
schedule_search
search
but if they make alerts with actions: Send email, Add to Triggered Alerts and Alert Manager, only Send email and Add to Triggered Alerts works. Alert Manager dont display Alert. But if I add capability: admin_all_objects Alert displays in Incident Posture.
I dont't want to grant that capability, is there some other way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.
Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".
Sorry for not having better news,
Simon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Panssa
I've got an update for you. I've figured out to schedule an alert as non-admin and having incidents created.
The minimum of required capabilities (besides everything from the 'user' role) are:
edit_tcp
list_settings
schedule_search
- edit_tcp: To ingest data back to Splunk (writing to 'alerts' index)
- list_settings: To read mailserver settings so send customized e-mail notifications
- schedule_search: To save a search as an alert
Within the next release (no ETA yet) of the Alert Manager, the 'alert_manager' role will contain those capabilities.
Also it requires a slight modification to a python library in the Alert Manager (NotificationHandler.py), see latest commit at github:
https://github.com/simcen/alert_manager/commit/e975ee4fdf38eea4584a7110c9735af297c0c253
You can download the latest version of the file (https://raw.githubusercontent.com/simcen/alert_manager/e975ee4fdf38eea4584a7110c9735af297c0c253/bin/...) and replace it in $SPLUNK_HOME/etc/apps/alert_manager/bin/lib/NotificationHandler.py
Let me know if you have any questions.
Thanks,
Simon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.
Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".
Sorry for not having better news,
Simon
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
