Splunk Enterprise Security

Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users?

szabados
Communicator

Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

To create investigations, a user must be an ess_admin or have the edit_timeline capability. See
http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles to see how to add the capability.

If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation.

0 Karma

tskinner_splunk
Splunk Employee
Splunk Employee

should not be assigning ess_admin role to users. It is a container role which is used just to give additional capabilities and inherited by admin (or sc_admin in splunk cloud) to be used for ES installation and upgrade tasks. It contains no ACLs

https://docs.splunk.com/Documentation/ES/latest/Install/ConfigureUsersRoles

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...