Security

Is there a way to limit the amount of data a user can export from the Splunk Web UI?

bshamsian
Path Finder

Due to security reasons, we need to limit the amount of data a user is exporting out of Splunk by using the Export option in the Splunk Web UI. Is there anyway to do this?

I looked everywhere and did not find a setting to say for example the maximum number of results that can be exported by anyone at a given time is 100 events. In the UI, when you are exporting, the user has the option to limit the number of rows, but I could not see a way to hard code that to 100 for example.

Also, is there a way to search thru the _internal index and find any export attempts? If so is there a way to see what was the search and who ran it? Is there a way to see how many rows were exported?

0 Karma

stephanefotso
Motivator

Hello!
What you are asking is not yet possible . As you can see on Settings-->Acess controls-->Roles, you can not limit the number of results a user can export. Once you allow a user to make searches (by giving him a search Role ), you can only set Searches restrictions , like Restrict search terms,Restrict search time, the maximum number of concurrent search jobs range, etc..

Now, to know any searches lauched by any user, here is the query you need: | rest /services/search/jobs|table author custom.search

Thanks

SGF
0 Karma

bshamsian
Path Finder

I tried to use the rest end point but did not see anything in there that pointed out the Export query and number of records downloaded. Is that returned by the jobs endpoint?

0 Karma

stephanefotso
Motivator

But you can see users custom searches, not the export action. If a user have used the export command in the search query, you will see it in the custom.search column.
Thanks

SGF
0 Karma

bshamsian
Path Finder

Yes I can see the custom search that was run before the download but there is no way to find out if they downloaded the results. I am trying to setup an alert in Splunk so our security officer is notified every time someone downloads results out of Splunk. As part of the alert he would need to know what was the search query and time frame and how many results they downloaded. The only way I found out so far was by searching the _internal index - something like this:

index=_internal sourcetype=splunkd_ui_access "isDownload=true"

We can extract the search query that was performed for the download from results returned from above but I cannot find a way to see how may records was downloaded.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...