RBAC for Notable events?

jack_lang · ‎08-16-2022

Hi,

Imagine the role `A` has access to index=foobar, but roles 'B' and 'C' do not. Imagine Splunk Enterprise Security creates a notable event / alert based on data in index=foobar. Is it possible to ensure only members in 'A' can see the alert, and 'B' and 'C' cannot? How?

More broadly, is this possible outside of Enterprise Security too? How?

Appreciate any help!

hettervik · ‎08-26-2022

In general, as notable events are stored in a separate index (called "notable"), the permission for the indexes for the original events doesn't apply anymore. However, I guess you could add the index field from the original events to the notable event, call it e.g. "original_index", and then create a search filters for different user groups, so that for example users with access to index "foobar" can only see notable events with "original_index=foobar".

I'm not sure how this would work for incidents in Splunk ES though, as I understand that viewing incidents in the "Incident Review" in Splunk ES is not the same as looking up events from the notable index per se, and that search filters might not apply here.

RBAC for Notable events?

using Enterprise Security

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment