Re: Restrictions filter - Role restrict search

hugohctint · ‎10-23-2020

I created a Role with the following restriction:

1- origen::chile OR ( index::_audit AND user="secchi")

But still can see the data models with any origen. I can filter a data model in search and reporting like this:

2- | datamodel "Authentication" search | search Authentication.origen="chile"

But a don't know how to combine the 1 and 2 into one single restriction to include it into the Role restrict search. Any ideas?

Thank you

hugohctint · ‎10-24-2020

The key here is to only get event data with origen="chile" and datamodel Authentication with values Authentication.origen="chile" when the user "chile" logs in. The place that is the most obvios to do this is at the Role setting Role->Restrictions

From what I see, the SPL you wrote there is no filtering both.

to4kawa · ‎10-24-2020

I see, That's true.
Because where needs to be written by you.

I used append to show the two logs and then selfjoin them together.
If There is the row that has Authentication.origen field, it should be kept.

hugohctint · ‎10-24-2020

Thanks for responding. It does not seem to work. Could you please explain the logic?

to4kawa · ‎10-24-2020

Did you try? What are the query and result?　I don't have any information at all, so that's all I can do.

Please look up the meaning of spl.

to4kawa · ‎10-24-2020

append and | eval origen=coalesce(origen,Authentication.origen) | selfjoin origen | where as_you_like

Restrictions filter - Role restrict search

administration

configuration

using Enterprise Security

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio