Security

Review roles for unnecessary read or write access?

mtupper
New Member

I am receiving a Health Check warning regarding the roles and responsibilities for our "investigative_canvas" in Enterprise Security. I have referred to the URL below initially. I do not see any problems with the below stanza. Am I missing something?

[collections/investigative_canvas]
access = read : [ ess_analyst ], write : [ admin ]
export = system
owner = nobody
version = 6.6.2
modtime = 1508440201.516152100

https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Troubleshoothealthcheck

Tags (1)
0 Karma

integratorz
Path Finder

@mtupper after looking at the link you are talking about, I realized the problem lies in the fact that the ess_analyst has access to this collection. It is recommended that only admins have access to these collections.

0 Karma

integratorz
Path Finder

whats the actual error your seeing?

0 Karma

mtupper
New Member

My mistake should have added that.

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible."

We only recently began receiving these errors after moving our environment from an on-prem solution to the cloud. We did a fresh install of ES, a clone did not work on at the time.

0 Karma

mtupper
New Member

EDIT: The error is not for "investigative_event" but for "investigative_canvas"

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...