Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can _raw be hidden for specific user roles or an app?

sc0tt
Builder
‎06-09-2015 01:13 AM

I created a user role that restricts search capabilities to certain sources, but there are fields I would like to hide from the user and exclude the _raw data. Is there a way to do this?

Edit: I've expanded this question and I may have found a partial solution, but I'm unable to restrict a user from searching data that I don't want them to.

Example event:

source=my_source user_id=123456 user_secret=99999999 login_status=successful

I restricted the search terms of the user role to source="my_source" user_id=123*. In addition, I created calculated fields for user_secret and _raw and set the eval expression to null(). This restricts the user to see only events in my_source where the user_id starts with 123 and hides the fields user_secret and _raw, but it doesn't prevent the user from being able search data that they are not privy to.

For example, this search

source=my_source 99999999 | table user_id login_status user_secret _raw

will return

user_id    login_status    user_secret    _raw
123456     successful      (null)         (null)

Even though I've restricted the search and hide fields, a user would still be able to deduce that the secret for user 123456 is 99999999.

Am I missing something? Is there a way to limit which data/fields a user can search? Another possible solution is to create a separate index but that doesn't seem very efficient to me since data would be duplicated.

This is somewhat related to a separate question I asked Can users be restricted to only search data models?. I think this may be a viable solution as well.

0 Karma
Reply

MichaelPriest
Communicator
‎06-09-2015 02:15 AM

Have a look at this question:

http://answers.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes.html

0 Karma
Reply

sc0tt
Builder
‎06-09-2015 03:04 AM

Thanks. I've already restricted the search in the user roles. However, the user is still able to see the raw event data which includes data I do not want them to see. For example: the search restriction is: source="my_source" user_id=123*. This will only allow the user to search events in my_source where user_id starts with 123. However, there are additional fields in the event data such as user_secret which I don't want to be visible to the user.

0 Karma
Reply

MichaelPriest
Communicator
‎06-09-2015 03:13 AM

So you want to hide some fields which are within the _raw data?

0 Karma
Reply

sc0tt
Builder
‎06-09-2015 03:17 AM

Yes or hide the _raw data completely. Ideally, I only want a user to see data that I allow them to see.

0 Karma
Reply

aweitzman
Motivator
‎06-09-2015 09:17 AM

I don't think Splunk permissions can function at that level.

Your best solution here might be to take your "complete" input, parse it into only the allowed fields, and output that into a different index. Then you can restrict those users to that new index, and they won't be exposed to any data they shouldn't see.

0 Karma
Reply

sc0tt
Builder
‎06-10-2015 01:29 AM

I think you are right. Creating a separate index may be the only way to accomplish this.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...