Review roles for unnecessary read or write access?

mtupper · ‎02-27-2019

I am receiving a Health Check warning regarding the roles and responsibilities for our "investigative_canvas" in Enterprise Security. I have referred to the URL below initially. I do not see any problems with the below stanza. Am I missing something?

[collections/investigative_canvas]
access = read : [ ess_analyst ], write : [ admin ]
export = system
owner = nobody
version = 6.6.2
modtime = 1508440201.516152100

https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Troubleshoothealthcheck

integratorz · ‎02-28-2019

@mtupper after looking at the link you are talking about, I realized the problem lies in the fact that the ess_analyst has access to this collection. It is recommended that only admins have access to these collections.

integratorz · ‎02-28-2019

whats the actual error your seeing?

mtupper · ‎02-28-2019

My mistake should have added that.

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible."

We only recently began receiving these errors after moving our environment from an on-prem solution to the cloud. We did a fresh install of ES, a clone did not work on at the time.

mtupper · ‎02-28-2019

EDIT: The error is not for "investigative_event" but for "investigative_canvas"

Review roles for unnecessary read or write access?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?