Splunk Enterprise Security

Splunk Enterprise Security: How to secure part of the _audit index?

tjago11
Communicator

We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different location than the main Search Heads.
The ES SH is used for doing security investigations and we do not want the searches executed readable by the masses.
However, we don't want to lock down everything in _audit.

I'd think the simplest thing to do is have the _audit logs for that one SH sent to a different index??
Is that even possible??
Thanks.

0 Karma
1 Solution

jnudell_2
Builder

Hi @tjago11 ,

As @richgalloway mentioned, securing _audit will not be enough. You would also have to secure _internal.

Even if you follow his recommendation to not forward the internal & _audit logs from the ES search head, the indexers themselves will store a copy of the searches run in _THEIR _internal Splunk logs.

Other than completely locking down _internal & _audit, there is no easy way to do this.

Options to consider might be:
- Search restrictions
- Scripted authentication. Using scripted authentication, you can create a level of granularity with permissions and search restrictions that prevent people from seeing certain types of data (ie: logs from _internal & _audit on the ES host AND the _internal logs on indexers that pertain to searches from ES hosts). This is complicated and not easy to setup, but it is a way to accomplish what you want to do.

View solution in original post

0 Karma

jnudell_2
Builder

Hi @tjago11 ,

As @richgalloway mentioned, securing _audit will not be enough. You would also have to secure _internal.

Even if you follow his recommendation to not forward the internal & _audit logs from the ES search head, the indexers themselves will store a copy of the searches run in _THEIR _internal Splunk logs.

Other than completely locking down _internal & _audit, there is no easy way to do this.

Options to consider might be:
- Search restrictions
- Scripted authentication. Using scripted authentication, you can create a level of granularity with permissions and search restrictions that prevent people from seeing certain types of data (ie: logs from _internal & _audit on the ES host AND the _internal logs on indexers that pertain to searches from ES hosts). This is complicated and not easy to setup, but it is a way to accomplish what you want to do.

0 Karma

tjago11
Communicator

Ahhhh, crap. Totally forgot about the indexer logs that will contain the searches ran there as well, ugh. Okay sounds like I'll need to create some search term restrictions to get a semblance of security around that data.

Do you think it is sufficient to do something like this??
NOT (user=123456 OR user=abcdefg)

I'll know who the security people are so building that restriction will be pretty easy. Heck, if I want to get fancy I can likely resolve the security people by role and gen a lookup table to use as the restriction.

0 Karma

tjago11
Communicator

Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456

Pretty sure this will work, thanks for the help.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searches run by users are also visible in _internal so securing _audit is not enough. Consider not forwarding _internal and _audit to your indexers (keep them local).

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...