Deployment Architecture

Role Search Restrictions - Syntax

ft_kd02
Path Finder

Hi all, not sure if deployment architecture was the right place to put this question. I need some clarification regarding search restrictions.

Context: The powers that be are looking into roles to enforce data segregation on a single application to serve multiple clients. This is not my area of expertise. 

Question:
I'm having trouble figuring out the syntax of 'Search Restrictions' in the roles section of Splunk. For each role, we limit the indexes available to that client through settings->users&authentication->roles -->indexes. For now, included is checked for each index used. There are 6 capabilities inherited from a base class, which I can list if they are relevant to the question.

Through testing, I've narrowed down the problem to the restrictions. Confining the search to the indexes works and we get all the data we need through (though it's not separated by client) When I hit 'search restrictions', I've tried several combinations of syntax to evaluate a field present in the indexes that dictates which client's data we're looking at. Call it client. This is a two digit alphanumeric. 

example:
The format in live data:  clientArray.CLIENT=6A
in summary data: CLIENT=6A

Looking through the docs, it should work correctly from what I can tell. I add in my field for both like so, using the search filter SPL generator:

(CLIENT::6A) OR (clientArray.CLIENT::6A)

The preview gives me:

index=index1 OR index=index2 OR index=index3 OR index=index4 OR index=index5 | search (CLIENT::6A) OR (clientArray.CLIENT::6A)

This does not allow any data through. If I use the operator CLIENT=6A in a basic search, I'm getting back the data I need. Of course '=' is not allowed in search restrictions. Any ideas on what I'm doing wrong here? 
 

Labels (1)
0 Karma

jamesanderos
New Member

Types of resource restrictions

You can set limitations on searches by configuring either time or data set restrictions based on user, role, or tenant.

Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to.

You can set the following types of restrictions on event and flow searches:
  • The length of time that a search runs before data is returned.
  • The time span of the data to be searched.
  • The number of records that are processed by the Ariel query server.
User-based restrictions

User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions.

For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building QRadar® queries.

Role-based restrictions

Role-based restrictions allow you to define groups of users who require different levels of access to your QRadar deployment. By setting role-based restrictions, you can balance the needs of different types of users.

For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, find dutch ovens for bread-making here, while a senior analyst has access to a much larger time span of data.

0 Karma

ft_kd02
Path Finder

Unless I'm mistaken, this is related to another product and not Splunk. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...