Splunk Enterprise Security

What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

rupeshn
Explorer

I'm trying to get why ess-admin role is present when it should not be assigned to users?

0 Karma
1 Solution

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma

SamHTexas
Contributor

Thank u for your answer reg. SIEM roles. What is the ES role you'd assign a user short of admin / ess_admin who would be able to do investigations & searching ? We have Splunk Enterprise & ES in our environment. Thanks

0 Karma

rupeshn
Explorer

why ess-admin role is present when it should not be assigned to users?

0 Karma

woodcock
Esteemed Legend

Did you not read what I wrote?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Well, the ess_user maps to the Splunk power user, which is why the ess_admin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.

Skalli

rupeshn
Explorer

Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂

Skalli

rupeshn
Explorer

Thank You!

There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"

Please help

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!