Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users?

szabados
Communicator
‎06-09-2016 12:24 AM

Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎06-09-2016 01:12 PM

To create investigations, a user must be an ess_admin or have the edit_timeline capability. See
http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles to see how to add the capability.

If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation.

0 Karma
Reply

tskinner_splunk
Splunk Employee
Splunk Employee
‎05-31-2023 10:34 AM

should not be assigning ess_admin role to users. It is a container role which is used just to give additional capabilities and inherited by admin (or sc_admin in splunk cloud) to be used for ES installation and upgrade tasks. It contains no ACLs

https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...