Splunk Enterprise Security

Admin Role user cannot see specific Analyst user to assign notable to

NightShark
Path Finder

I have a problem where an admin role user cannot see another analyst user to assign specific notable events to. However, I do not have any problems when I as another admin user try to assign the analyst user that the other admin role cannot see.

I have checked notable_owners_lookup and it was filled correctly with the expected users.

What could be the issue here and where should we check?

0 Karma

ro_mc
Path Finder

I've seen this issue on Linux hosts with Splunk 7.3.x, where Splunk admin roles were assigned via RBAC using AD groups. There was an issue where the AD group membership was not being correctly identified on Linux, which resulted in the user still showing as admin in Splunk, but not having Splunk admin privileges.

The issue was fixed during a Splunk upgrade, but you could also try the following if your situation is similar:

- Running systemctl restart sssd
- Open settings -> authentication methods -> reload
- Use the CLI or make an API call to reload the authentication:

./splunk reload auth
curl -k -u admin:changeme https://splunkserver:8089/services/authentication/providers/services/_reload

Also note that SAML can take up to 10 minutes to fully populate the list of analysts that can be assigned to a notable event. It may be worth waiting patiently for this list to fully update.

Alternatively, assign the admin role locally on the ES SH to rule out other authentication technologies interfering with the required permissions.

Reference: https://docs.splunk.com/Documentation/ES/6.6.2/User/Triagenotableevents#Assign_notables_to_owners

 

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...