Splunk Enterprise Security

What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

rupeshn
Explorer

I'm trying to get why ess-admin role is present when it should not be assigned to users?

0 Karma
1 Solution

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.
0 Karma

garias_splunk
Splunk Employee
Splunk Employee

the 2nd one is ess_analyst

SamHTexas
Builder

Thank u for your answer reg. SIEM roles. What is the ES role you'd assign a user short of admin / ess_admin who would be able to do investigations & searching ? We have Splunk Enterprise & ES in our environment. Thanks

0 Karma

rupeshn
Explorer

why ess-admin role is present when it should not be assigned to users?

0 Karma

woodcock
Esteemed Legend

Did you not read what I wrote?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Well, the ess_user maps to the Splunk power user, which is why the ess_admin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.

Skalli

rupeshn
Explorer

Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂

Skalli

rupeshn
Explorer

Thank You!

There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"

Please help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...