Splunk Enterprise Security

creating an index accessible to only one Splunk role .

pranavna
Explorer

I want to create an index which will have sensitive data and want it to be accessible by only admin team and security team.

basically exactly opposite of https://answers.splunk.com/answers/301280/how-to-restrict-access-to-one-certain-index-withou.html

I don't want to add search filter for each and every role as we have 100 roles and its a maintenance nightmare.
is there any elegant way to do this?

0 Karma

lakshman239
Influencer

One option would be create a new role, say role_sensitive_data and setup that role to search index=sensitive. You can then inherit this role for 'admin' and 'security team'. This would also depend on how you have setup your 100's of roles [ I assume they don't search all indexes by default and you would have restricted them to what they need to search by index names]

pranavna
Explorer

again, We have nearly 130 indexes we can not add the capabilities to rest of the users. having role_sensitive_data we can not restrict others to not use it.

0 Karma

lakshman239
Influencer

How have you mapped the 130 indexes to the users? do you not have 1 role mapped to one or more indexes?

pranavna
Explorer

when you create an index every one has access to that index by default. I have not added mapping of any sort.

IDK, if i am able to convey what i want.

basically, if we create an index , any data there should be visible to only 1 team/role.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...