All Apps and Add-ons

What roles or capabilities are needed that Alerts will display in Incident Posture?

Panssa
New Member

I have users with user and alert_manager role.
They have capabilities:
accelerate_search
change_own_password
edit_tcp
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
schedule_search
search

but if they make alerts with actions: Send email, Add to Triggered Alerts and Alert Manager, only Send email and Add to Triggered Alerts works. Alert Manager dont display Alert. But if I add capability: admin_all_objects Alert displays in Incident Posture.
I dont't want to grant that capability, is there some other way?

Tags (1)
0 Karma
1 Solution

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

View solution in original post

0 Karma

Simon
Contributor

Hi Panssa

I've got an update for you. I've figured out to schedule an alert as non-admin and having incidents created.
The minimum of required capabilities (besides everything from the 'user' role) are:

edit_tcp
list_settings
schedule_search

  • edit_tcp: To ingest data back to Splunk (writing to 'alerts' index)
  • list_settings: To read mailserver settings so send customized e-mail notifications
  • schedule_search: To save a search as an alert

Within the next release (no ETA yet) of the Alert Manager, the 'alert_manager' role will contain those capabilities.

Also it requires a slight modification to a python library in the Alert Manager (NotificationHandler.py), see latest commit at github:
https://github.com/simcen/alert_manager/commit/e975ee4fdf38eea4584a7110c9735af297c0c253
You can download the latest version of the file (https://raw.githubusercontent.com/simcen/alert_manager/e975ee4fdf38eea4584a7110c9735af297c0c253/bin/...) and replace it in $SPLUNK_HOME/etc/apps/alert_manager/bin/lib/NotificationHandler.py

Let me know if you have any questions.
Thanks,
Simon

0 Karma

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...