Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Enterprise V6.6.2 - Can't assign owners in Incident Review - Is there a bug

Justin_M
New Member
‎06-19-2024 09:46 AM

Hi All,

We have Splunk Security ENT 6.6.2 - EOL, I know! our admins guys are working on upgrading.

My Problem.

We created 2 new user groups. Team A and Team B

We gave Team A - Total access to data in half the indexes. Role restrictions on indexes

We gave Team B - Total access to data in the other half the indexes. Role restrictions on indexes

The outcome was as expected, Team A can only see data from indexes for their role and likewise for Team B.

This is where we have a problem, Both Teams need to user the Incident Review Dashboard and Both teams need to assign notable events to users within their own Team. As Owners.

However, they cannot, and the system gives errors.

If we take the role restriction off. So both teams can see all Data. Then they can assign notable events.

Our internal Splunk admin, say it is a bug in this version and the system needs to be upgraded.

My questions,

Has anyone experienced similar? 

Is there a bug and if so, any reference that can be found on the bug?

Are there any workarounds regarding this problem?

We have 2 teams that need to use the Incident Review to respond to alerts. However, these teams need to be independent and should not be able to see data within indexes that belongs to the other Team.

Thanks for any advise.

Labels (1)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎07-03-2024 06:19 AM

I can't seem to find anything in known issues that matches your problem on the version that your team is using.

https://docs.splunk.com/Documentation/ES/6.6.2/RN/KnownIssues

Restricting access to indexes should not affect the capability to make changes to the IR dashboard (unless the notable index has been restricted too). The one recommendation I have is to ask the Splunk admin to see if they are restricting the capability to edit notables in the custom roles that may have been developed for restricting access to indexes.

Also, if possible if you could share the error that you encounter while editing the notables, it will help us to help you to find a solution.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...