Splunk Search

Is there any way to restrict searches based on user's source IP address?

brettcave
Builder

Is there any way possible to restrict searches based on source IP of splunk user?

Current environment is Splunk Enterprise 6 with SAML, hosted behind apache as a reverse proxy with mod_mellon handling the SAML authentication to our SSO idp. (https://www.splunk.com/blog/2013/10/09/splunk-sso-using-saml-through-okta.html)

Perhaps some way to map to different user Ids or roles via apache mod config some how, and then using standard Splunk restrictions in roles?

0 Karma

brettcave
Builder

Figured out a solution:

Deploy a second Splunk server as search head without data / index. The 2nd search head can have it's own knowledge bundle / different permissions on roles.

0 Karma

tiagofbmm
Influencer

Hey

You can mapp LDAP groups ( as well as SAML) to Splunk Roles:

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/MapLDAPgroupstoSplunkroles

0 Karma

brettcave
Builder

Yes, we are doing this. So how could we map to different roles based on source IP address?

e.g. Currently I am user "brettcave" with role "developer" that has certain rights.
If I log onto splunk from 192.168.1.0/24, I want to map to "developer" role, but if I access from any other IP, i want to map to "user" role.

is this possible?

0 Karma

tiagofbmm
Influencer

I think what you can do is to try to do that on your DC side. Splunk just maps Groups to Roles and that's ti.

If you can figure out your strategy on the DC side, then it is fine. But in Splunk I don't think so

0 Karma

starcher
SplunkTrust
SplunkTrust

No Splunk has no controls based on network source. Only user to role mapping

robgora_deloitt
Path Finder

I agree with Starcher. Splunk does not have the ability to match roles based off of network location. You can only do it by mapping users and groups to a role.

0 Karma

brettcave
Builder

Solution posted below - by using 2 different SSO profiles - 1 to the original search head and a 2nd search head with a different configuration, the 2nd head can have a different configuration / ACL configuration.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...