Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

rupeshn
Explorer
‎05-06-2019 02:57 AM

I'm trying to get why ess-admin role is present when it should not be assigned to users?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-07-2019 07:28 AM

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-07-2019 07:28 AM

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.
0 Karma
Reply
Solved! Jump to solution

garias_splunk
Splunk Employee
Splunk Employee
‎10-07-2021 03:03 AM

the 2nd one is ess_analyst

Reply
Solved! Jump to solution

SamHTexas
Builder
‎03-28-2021 09:15 PM

Thank u for your answer reg. SIEM roles. What is the ES role you'd assign a user short of admin / ess_admin who would be able to do investigations & searching ? We have Splunk Enterprise & ES in our environment. Thanks

0 Karma
Reply
Solved! Jump to solution

rupeshn
Explorer
‎05-14-2019 03:17 AM

why ess-admin role is present when it should not be assigned to users?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-14-2019 08:55 AM

Did you not read what I wrote?

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎05-06-2019 05:24 AM

Well, the ess_user maps to the Splunk power user, which is why the ess_admin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.

Skalli

Reply
Solved! Jump to solution

rupeshn
Explorer
‎05-14-2019 03:16 AM

Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎05-16-2019 09:03 AM

Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂

Skalli

Reply
Solved! Jump to solution

rupeshn
Explorer
‎06-18-2019 05:17 AM

Thank You!

There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"

Please help

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...