Deployment Architecture

authorize.conf configuration

d_lim
Path Finder

Hi there, 

Looking into /opt/splunk/etc/system/local/authorize.conf I saw alot of configurations as below. 

Would like to understand how this came about, and is it of any concern?

transition_reviewstatus-10_to 11 = enabled
transition_reviewstatus-10_to 12 = disabled
transition_reviewstatus-10_to 13 = depreciated
transition_reviewstatus......
transition_reviewstatus......

Searching the internal logs gives this -
index=_internal component=AuthorizationManager

09-22-2020 15:15:25.219 +0800 WARN AuthorizationManager - Capability 'transition_reviewstatus-9_to 8' is not recognized by Splunk. Ignoring...

Labels (2)
Tags (1)
1 Solution

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

View solution in original post

96nick
Communicator

Those entries appear related to the Splunk App for PCI Compliance. Take a look at the link below and look at 'Edit notable events':

https://docs.splunk.com/Documentation/PCI/4.3.0/Install/ConfigureUsersRoles

 

To sum it up, it's a capability used to transition between different statuses in an investigation.

More info here:

https://docs.splunk.com/Documentation/PCI/4.3.0/User/Investigationstatus

0 Karma

rupkumar4sec
Path Finder

Hello @d_lim , Normally Splunk premium apps like Enterprise security or PCI will have capabilities defined in the format  "transition_reviewstatus-<x>_to_<y>". 

If you are using apps like Enterprise security or PCI and default roles that comes with app, then you may need those configurations in your authorize.conf . But here you mentioned that you found those configurations in system/local, So someone might have used same naming structure to define capabilities. 

Coming to your error, Capability 'transition_reviewstatus-9_to 8' may not be defined. If it not defined any where you can remove that stanza in authorize.conf

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...