Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create investigations in ES 5.2.2?

chrispounds
Explorer
‎04-24-2019 01:40 AM

Hi all,

So i have added the edit_timeline role to a user and they can create an investigation, but after you click "start investigation" they are greeted with a "failed to retrieve investigation" message. I was under the impression it was just the one user role needed for investigations, has anyone come across this before?

Many thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎04-24-2019 09:39 AM

Per the documentation, they need the "Manage Your Investigations" capability
https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Manageinvestigations
which as you correctly identify is the edit_timeline capability (not a role, but is by default included for the ess_analyst role).

If you added this capability using the ES Permissions page, it should be working. If you added the capability using authorize.conf, some necessary ACLs might be missing. Check the ES Permissions page, and/or verify that the users have the ess_analyst role (unless you are using custom roles).

View solution in original post

Reply
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎04-24-2019 09:39 AM

Per the documentation, they need the "Manage Your Investigations" capability
https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Manageinvestigations
which as you correctly identify is the edit_timeline capability (not a role, but is by default included for the ess_analyst role).

If you added this capability using the ES Permissions page, it should be working. If you added the capability using authorize.conf, some necessary ACLs might be missing. Check the ES Permissions page, and/or verify that the users have the ess_analyst role (unless you are using custom roles).

Reply
Solved! Jump to solution

chrispounds
Explorer
‎04-30-2019 05:33 AM

Thank you smoir 🙂

0 Karma
Reply
Solved! Jump to solution

chrispounds
Explorer
‎04-25-2019 01:08 AM

So we currently have custom roles for our ES system.

sec_user -> inherits normal user with added capabilities (edit_timeline).

But when i view sec_user's "imported capabilities", edit_timeline doesn't appear, so perhaps it isn't inheriting the capability correctly? Although this wouldn't explain why the user can create the investigation, but receives an error when trying to view.

I have checked the investigation as admin and can confirm it's working as expected, so must be a permission hick up somewhere!

0 Karma
Reply
Solved! Jump to solution

pschulz_splunk
Splunk Employee
Splunk Employee
‎04-25-2019 01:49 PM

when the user is missing edit_timeline capability you should see: 'You do not have permission to access investigations.'
There is probably something else going on, you should check if there are failing network requests.

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎04-25-2019 09:36 AM

Yeah, that does sound odd. I'd suggest using the ES permissions page to manually add the capability to the sec_user role, or to re-add it to the "normal user" account and see if that fixes the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...