Limit access to specific events in one index

ips_mandar · ‎11-26-2018

Hi,
I have one role which has Restrict search terms as index=abc $table="azuredignostics"
then how this user having this role can access $table="Perf" data. How he can get access to all data from calculated fields
but I am not able to achieve what eval function need to be created.
As I am using OMS add-on so it has 1 source, 1 host and 1 sourcetype so in calculated fields * won't help.

woodcock · ‎11-26-2018

Do not use this feature; it is easy to bypass so paper-thin as to be useless. The only true access-control is denying access to particular index values.

ips_mandar · ‎11-26-2018

yes I can understand that there will be security issue I just wanted to understand How to bypass take access to all data using calculated fields ...as I was trying to create calculated fields to bypass access but unable to do so as I have only 1 host, source and sourcetype.

woodcock · ‎11-28-2018

If the restriction requires a field, then create a calculated field that defines it; if it requires the field not to exist, create a calculated field that sets it to null(). Boom! Bypassed.

Limit access to specific events in one index

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases