Splunk Enterprise Security

What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

rupeshn
Explorer

I'm trying to get why ess-admin role is present when it should not be assigned to users?

0 Karma
1 Solution

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma

woodcock
Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.
0 Karma

garias_splunk
Splunk Employee
Splunk Employee

the 2nd one is ess_analyst

SamHTexas
Builder

Thank u for your answer reg. SIEM roles. What is the ES role you'd assign a user short of admin / ess_admin who would be able to do investigations & searching ? We have Splunk Enterprise & ES in our environment. Thanks

0 Karma

rupeshn
Explorer

why ess-admin role is present when it should not be assigned to users?

0 Karma

woodcock
Esteemed Legend

Did you not read what I wrote?

0 Karma

skalliger
Motivator

Well, the ess_user maps to the Splunk power user, which is why the ess_admin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.

Skalli

rupeshn
Explorer

Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?

0 Karma

skalliger
Motivator

Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂

Skalli

rupeshn
Explorer

Thank You!

There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"

Please help

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...