Splunk Enterprise Security
Highlighted

What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Explorer

I'm trying to get why ess-admin role is present when it should not be assigned to users?

0 Karma
Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

SplunkTrust
SplunkTrust

Well, the essuser maps to the Splunk power user, which is why the essadmin should not be assigned to users - it's an administrative role which can edit the whole layout of ES, change permissions. It's the same basically why you don't want a user to become admin by default.

Skalli

Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Explorer

Shouldn't be ess_admin role assigned to any users as suggested by Splunk? Why?

0 Karma
Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

SplunkTrust
SplunkTrust

Oh sorry, I missed your comment. Yes, of course you can assign it. The definition of "user" here is simply someone using Splunk not administratively. So basically, you want the one who keeps updating and improving the system to be the only one who is ess_admin. The wording is a little confusing here. It is sometimes in the Splunk world. 🙂

Skalli

Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Explorer

Thank You!

There's another query. I've removed ess_admin roles to the users. I don't know why I'm still gettin these messages

"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible"

Please help

0 Karma
Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Esteemed Legend

There are usually 3 roles in a SIEM:

admin (ess_admin) = Person who enables/modifies features (threatlists, notables, incidents), adds apps, etc.
author (ess_admin) = Person who creates/updates saved searches and dashboards to adjust to new threats.
analyst (ess_user) = Person who does the actual threathunting; responds to alerts/notables, runs many ad-hoc searches.

View solution in original post

0 Karma
Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Explorer

why ess-admin role is present when it should not be assigned to users?

0 Karma
Highlighted

Re: What is the purpose of ess_admin role in splunk ES when it is advised not to assign it to users?

Esteemed Legend

Did you not read what I wrote?

0 Karma