Splunk Enterprise

How to restrict users from export data via RestAPI, CLI ?

human96
Communicator

Hi splunkers,

i know how we can restrict users from export data in splunk web. 

Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?

0 Karma
1 Solution

VatsalJagani
Champion

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities 

View solution in original post

VatsalJagani
Champion

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities 

human96
Communicator

Thanks for your response .

i have one more doubts.

Is it possible to set up a new port dedicated to API in splunk ?

if yes please tell me the process , Documentation would be appreciated.

0 Karma

VatsalJagani
Champion

No, I don't think so. The API works on Splunk's management port 8089.

Because they both are actually the same thing. Splunk does all its management through API as well.

0 Karma

human96
Communicator

is there any best practices for running Splunk's API from an external system? 

Documentation would be appreciated.

0 Karma

VatsalJagani
Champion

See if you can use SDK because that would be much easier and take care of most of the best practices.

https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/ 

 

0 Karma

VatsalJagani
Champion

export_results_is_visible capability in the answer.
(Basically it will hide the "Export Results" button on Splunk Web. - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities )

By default, this capability is available with the user role. So you need to create a new role similar to the user but then exclude this capability.

Or you can modify the default user role and remove this capability. (If you want this to happen to specific users, don't take this approach)

0 Karma

human96
Communicator

Thanks for your quick response.

As i already mentioned i know "export _ results _ is _ visible" role capability makes the restriction on SplunkWeb.

i just want to  restrict a specific user to export from RestAPI, CLI.

is it possible ?

0 Karma

VatsalJagani
Champion
Sorry about misunderstanding the question. Posted a seperate response//
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...