Solved: Splunk for Palo Alto Networks: How to limit permis...

ckillg · ‎08-15-2015

I would like to limit certain users' access to URL filtering and config change data coming from the PAN. Is there a way to do that?

I would put the data in separate indexes, but the app documentation says to use pan_logs for everything.

jnussbaum_splun · ‎08-15-2015

Under Access Controls -> Roles , you can restrict search terms and exclude eventtypes such as you're mentioning above with:
index=pan_logs eventtype!=pan_config eventtype!=pan_threat
This will allow the Role to search the pan_logs index, but not events that fall into the eventtype of pan_config and pan_threat. Hope that's what you're looking for.

View solution in original post

jnussbaum_splun · ‎08-15-2015

Under Access Controls -> Roles , you can restrict search terms and exclude eventtypes such as you're mentioning above with:
index=pan_logs eventtype!=pan_config eventtype!=pan_threat
This will allow the Role to search the pan_logs index, but not events that fall into the eventtype of pan_config and pan_threat. Hope that's what you're looking for.

ckillg · ‎08-15-2015

Perfect. Thanks.

Splunk for Palo Alto Networks: How to limit permissions for users by log type?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!