Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

data segregation methods

awurster
Contributor
‎10-29-2012 04:49 PM

hello -

i've been reading the various guides and some other Q&As regarding segration or role-based access to different data.

i'm working with a distributed environment, where there are separate forwarders in each "region" which feeds into centralised indexer / search tiers. data needs to be segregated based on its home "region", or where the data originates from in other words.

so i'll somehow need to identify the data based on where it came from originally, either based on originating host, forwarder, or something like that.

right now - i've got a demo that i think appears to be working, where i force data sourced in a particular region into different indexes, based on inputs.conf. i then use RBAC (with AD group mappings) to control access based on index. i also need to modify the dashboards / saved searches within our app because this impacts summarization of the indexed data. i can also perhaps imagine a use for "tags" or something similar as the default search terms...

any ideas? any recommendations and/or words of wisdom?

the use case is Cisco IronPort WSA access logs... feeding into a Splunk for WSA app deployment.

cheers,

andrew

0 Karma
Reply

swagner1965
Path Finder
‎06-25-2019 07:35 AM

Our solution is to create indexes for each customer whose data needs to be segregated from the rest. Customer apps are slaved to indexes and customer roles are slaved to their respective apps. The apps can be locked down so that they only see the indexes that are needed and mitigates any one customer traversing the data of other customers or us for that matter.alt text

Preview file
1 KB
0 Karma
Reply

wellsajs
Explorer
‎12-09-2012 09:10 PM

if you tag your data via the forwarders which I assume are in your various regions, then this tag could then be used to segment your data into the different indexes and then use RBAC via the AD groups to finely control access to the data.

0 Karma
Reply

miteshvohra
Contributor
‎12-09-2012 08:06 PM

Having separate indexes for each region will help you restrict user-access to their respective indexes only.

Haven't implemented it so far, however, these roles/restrictions should work even at App level too.

Will be interesting to know the solution.

Br, Mitesh.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...