Security

Review roles for unnecessary read or write access?

mtupper
New Member

I am receiving a Health Check warning regarding the roles and responsibilities for our "investigative_canvas" in Enterprise Security. I have referred to the URL below initially. I do not see any problems with the below stanza. Am I missing something?

[collections/investigative_canvas]
access = read : [ ess_analyst ], write : [ admin ]
export = system
owner = nobody
version = 6.6.2
modtime = 1508440201.516152100

https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Troubleshoothealthcheck

Tags (1)
0 Karma

integratorz
Path Finder

@mtupper after looking at the link you are talking about, I realized the problem lies in the fact that the ess_analyst has access to this collection. It is recommended that only admins have access to these collections.

0 Karma

integratorz
Path Finder

whats the actual error your seeing?

0 Karma

mtupper
New Member

My mistake should have added that.

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible."

We only recently began receiving these errors after moving our environment from an on-prem solution to the cloud. We did a fresh install of ES, a clone did not work on at the time.

0 Karma

mtupper
New Member

EDIT: The error is not for "investigative_event" but for "investigative_canvas"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...