Splunk Search

Is there any way to restrict searches based on user's source IP address?

brettcave
Builder

Is there any way possible to restrict searches based on source IP of splunk user?

Current environment is Splunk Enterprise 6 with SAML, hosted behind apache as a reverse proxy with mod_mellon handling the SAML authentication to our SSO idp. (https://www.splunk.com/blog/2013/10/09/splunk-sso-using-saml-through-okta.html)

Perhaps some way to map to different user Ids or roles via apache mod config some how, and then using standard Splunk restrictions in roles?

0 Karma

brettcave
Builder

Figured out a solution:

Deploy a second Splunk server as search head without data / index. The 2nd search head can have it's own knowledge bundle / different permissions on roles.

0 Karma

tiagofbmm
Influencer

Hey

You can mapp LDAP groups ( as well as SAML) to Splunk Roles:

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/MapLDAPgroupstoSplunkroles

0 Karma

brettcave
Builder

Yes, we are doing this. So how could we map to different roles based on source IP address?

e.g. Currently I am user "brettcave" with role "developer" that has certain rights.
If I log onto splunk from 192.168.1.0/24, I want to map to "developer" role, but if I access from any other IP, i want to map to "user" role.

is this possible?

0 Karma

tiagofbmm
Influencer

I think what you can do is to try to do that on your DC side. Splunk just maps Groups to Roles and that's ti.

If you can figure out your strategy on the DC side, then it is fine. But in Splunk I don't think so

0 Karma

starcher
SplunkTrust
SplunkTrust

No Splunk has no controls based on network source. Only user to role mapping

robgora_deloitt
Path Finder

I agree with Starcher. Splunk does not have the ability to match roles based off of network location. You can only do it by mapping users and groups to a role.

0 Karma

brettcave
Builder

Solution posted below - by using 2 different SSO profiles - 1 to the original search head and a 2nd search head with a different configuration, the 2nd head can have a different configuration / ACL configuration.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...