Splunk Enterprise Security

Incident Review Dashboard Issue for a User

anandhalagarasa
Path Finder

Hi Team,

We have a separate ES- Splunk Cloud for our organisation.

So in which we have provided access via SAML authentication for all the members in Security Operations team. And we have created roles like for them as well.

Our issue is currently one of the user from Security Operations team can able to login via SAML authentication but he couldn't able to view the Incident Review dashboard data when he searched for anytime.

When we checked the Job Inspector we are getting the below mentioned errors.

So other users who are provided with the same role has access to Incident review dashboard and they can view the notable events whereas this particular user alone couldnt able to view the incident review dashboard events.

When i checked the Job Inspector i can see error events like below:

Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job inspector for more info.

Also some error in logs as:

WARN Download Remote DataTransaction - Got status code : 404 (Not Found) from indexer.

So kindly let me know why the particular user can able to login the Splunk Cloud but couldn't able to view the events in the Incident Dashboard.

0 Karma

dhihoriya_splun
Splunk Employee
Splunk Employee

Hi @anandhalagarasan

You can check and compare the capabilities for the user who is not able to view notable events and open the incident review dashboard with other users who are able to access that dashboard.

You can take reference from this Splunk Documentation regarding ES capabilities:
https://docs.splunk.com/Documentation/ES/5.3.1/Install/ConfigureUsersRoles

Thanks,
Dixit

0 Karma

anandhalagarasa
Path Finder

Kindly help on the request.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...