Splunk SIEM Access Levels and Permissions (2024)

All Splunk SIEM built-in inputs and actions require an API Key with an Access Level of type CUSTOM. The following tables indicate the permissions that are required.

See Also
Splunk v2.0.0 | SplunkFrom Water to Wine: An Analysis of WINELOADER | Splunk

Note: Previous Splunk SIEM app versions used Access Levels LIVE_RESPONSE and API.

API Data Inputs

Inputs Description Permissions Data Schema
Alerts Alerts indicate suspicious behavior and known threats in your environment. Use the Data Forwarder option instead when you have a high volume or significant bursts of activity; the Data Forwarder provides higher scalability. See Data Forwarder Alerts Input Configuration for Splunk SIEM. orgs.alerts (Read) Alert Schema
Auth Events Auth Events API provides visibility into authentication events that occur on Windows endpoints. org.search.events (Read, Create) Auth Event Schema
Live Query Results Live Query Run and Result data. Requires Carbon Black Cloud Audit and Remediation. livequery.manage (Read) Live Query Result Schema
Vulnerabilities Vulnerability assessment data includes identified CVEs, metadata, and impacted assets. Requires Carbon Black Cloud Workload. vulnerabilityAssessment.data (Read) Vulnerability Schema
Audit Logs Carbon Black Cloud Audit Logs; for example, when a user signs-in or updates a policy.

Note: Previous Audit Logs used Access Levels LIVE_RESPONSE or API.

org.audits (Read) Audit Log Schema

Alert Actions and Adaptive Responses

Alert Action Description Permission
Add IOCs to a Watchlist Adds specified IOC(s) to a specified report in a watchlist. Requires Carbon Black Cloud Enterprise EDR. orgs.watchlist (Create, Read, Update)
Ban Hash Prevents a SHA-256 hash from being executed in Carbon Black Cloud. org.reputations (Create)
* Close Alert Closes the specified alert in Carbon Black Cloud. org.alerts (Read)org.alerts.close (Execute)
Enrich Alert Observations Searches and ingests the Observations that are associated with the alert. Intended for use with the “Enrich CB Alert Observations” Splunk Alert. org.search.events (Create, Read)
Enrich CB Analytic Events earches and ingests the Enriched Events that are associated with the CB Analytics alert. Intended for use with the “CB Analytics - Ingest Enriched Events” Splunk Alert. Requires Carbon Black Cloud Endpoint Standard.

Note: Deprecated with deactivation date of 31 July 2024.

Get File Metadata Retrieves file metadata, such as the number of devices the hash was observed on, from the specified SHA-256 file hash. Requires Carbon Black Cloud Enterprise EDR. ubs.org.sha256 (Read)
* Kill Process Remotely kills a process on the devices specified in the search. device (Read)org.liveresponse.session (Create, Read, Delete)org.liveresponse.process (Read, Delete)
* List Processes Remotely lists processes on the specified device. Example: If an Analytics alert did not terminate the process, identify whether the suspicious process is still running on the device. device (Read)org.liveresponse.session (Create, Read, Delete)org.liveresponse.process (Read)
Process GUID Details Fetches the most up-to-date, detailed metadata associated with the specified process GUID. Example: Learn more about the process that triggered a Watchlist alert, such as parent and process cmdline. org.search.events (Read, Execute)
Quarantine Device Quarantines the specified device and prevents suspicious activity and malware from affecting the rest of your network. The device can only communicate with Carbon Black Cloud until the quarantine is lifted. device (Read)device.quarantine (Execute)
Remove IOCs from a Watchlist Removes IOCs from a report in a watchlist. Requires Carbon Black Cloud Enterprise EDR. orgs.watchlist (Read, Update, Delete)
Run Livequery Creates a new Live Query Run. Example: Automatically get the logged-in users on an endpoint after a credential scraping alert. Requires Carbon Black Cloud Audit and Remediation. device (Read)livequery.manage (Create, Read)
Unquarantine Device(s) Removes the specified device(s) from the quarantined state, allowing them to communicate normally on the network. device (Read)device.quarantine (Execute)
Update Device Policy Updates the policy associated with the specified device. Example: Move a device to a more restrictive policy during incident investigation. device (Read)device.policy (Update)

Note:

  • Dismiss Alert was changed to Close Alerts in Splunk SIEM App v2.0.0.
  • Kill Process and List Processes changed from an Access Level type of LIVE_RESPONSE to CUSTOM in Splunk SIEM App v2.0.0.

Commands

All commands require an API Key with an Access Level of type CUSTOM. This changed in Splunk SIEM App v2.0.0; earlier versions used Access Levels of type LIVE_RESPONSE and API.

The following tables indicate the permissions that are required.

Command Description Permission
Carbon Black Cloud Device Info (cbcdvcinfo) Gets real-time information about a Carbon Black Cloud device. See Carbon Black Cloud Custom Commands for Splunk SIEM for usage and best practices device (Read)
Carbon Black Cloud Hash Info (cbchashinfo) Gets real-time information about a SHA-256 hash, such as the number of devices that observed the file. Requires Carbon Black Cloud Enterprise EDR. ubs.org.sha256 (Read)
Carbon Black Cloud Query (Alert Details dashboard: Alert History tab) Loads a timeline view of the alert, including when it was created, determination changes, workflow updates, notes, and Carbon Black Managed Detection and Response comments. org.alerts (Read)
Carbon Black Cloud Query (Alert Details dashboard: Observations tab) Loads Carbon Black Cloud Observations related to an alert. Only certain alert types, such as CB Analytics, Host Based Firewall, and Intrusion Detection System, have Observations. org.search.events (Create, Read)
Splunk SIEM Access Levels and Permissions (2024)

FAQs

What is level of access in Splunk? ›

The level of access assigned to a role that specifies how a user with that role can interact with knowledge objects in Splunk software. Splunk software has two types of permissions: read and write. If a role grants a user write permissions for a knowledge object, the user can view it and update its properties.

Explore More
How to check Splunk permissions? ›

In Splunk Web, open your app. Go to Settings > Knowledge, then click a category of objects or click All configurations. Click Permissions for the object for which you want to edit permissions. Select an option for the app context, then set read and write permissions for all the roles listed.

View More
What are access roles in Splunk? ›

The predefined roles are: admin : This role has the most capabilities. power : This role can edit all shared objects and alerts, tag events, and other similar tasks. user : This role can create and edit its own saved searches, run searches, edit preferences, create and edit event types, and other similar tasks.

Explore More
What are the three pricing options for Splunk? ›

Ingest pricing, predictive pricing, workload pricing. Learn more about these pricing options here. Are there alternatives to volume-based pricing? Splunk now offers a number of different pricing options depending on an organization's needs.

Discover More
What are the 3 levels of file access? ›

Permissions
  • The read permission grants the ability to read a file. ...
  • The write permission grants the ability to modify a file. ...
  • The execute permission grants the ability to execute a file.

Get More Info
How do I check file access permissions? ›

How to check or change File Permissions in Windows 10
  1. Open File Explorer.
  2. Locate the desired file. ...
  3. Right click on the file and go to Properties.
  4. Choose the Security Tab at the top to view current permissions.
  5. To edit permissions for certain users, select Edit.
  6. To add an account, select Add.

Explore More
How to check user activity in Splunk? ›

You can view the audit logs from the past three months in Splunk UBA. Select System > Audit Logs to open the audit logs. Filter by time, action, username, or entity type to reduce the scope of the audit logs for review.

View Details
How to check index access in Splunk? ›

Checking Indexes

We can have a look at the existing indexes by going to Settings → Indexes after logging in to Splunk. The below image shows the option. On further clicking on the indexes, we can see the list of indexes Splunk maintains for the data that is already captured in Splunk.

Learn More
What is access at the role level? ›

It involves setting permissions and privileges to enable access to authorized users. Most large organizations use role-based access control to provide their employees with varying levels of access based on their roles and responsibilities.

Keep Reading
What are three typical examples of access roles? ›

Examples of Role-Based Access Control
  • Management role scope – it limits what objects the role group is allowed to manage.
  • Management role group – you can add and remove members.
  • Management role – these are the types of tasks that can be performed by a specific role group.
May 5, 2023

Read More

What is the difference between role and access? ›

In short, permission-based access control defines permissions to each system's user. On the other hand, role-based access control specifies permissions to a set of roles of a system, roles assigned to each user. Both role and permission-based techniques are supported by other security methods.

Know More
What are the three main Splunk components? ›

Splunk Components. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.

Get More Info
What is better than Splunk? ›

Chronosphere is a really solid SaaS alternative to such systems both with respect to the product itself and the level of support and expertise from the Chronosphere team. It "just works" and is fast and reliable.

Learn More
Can I use Splunk for free? ›

If you want to run Splunk Enterprise to practice searches, data ingestion, and other tasks without worrying about a license, Splunk Free is the tool for you. The Free license gives very limited access to Splunk Enterprise features. The Free license is for a standalone, single-instance use only installation.

View More
What is meant by levels of access? ›

In computer science and computer programming, access level denotes the set of permissions or restrictions provided to a data type. Reducing access level is an effective method for limiting failure modes, reducing debugging time, and simplifying overall system complexity.

See More
What is the meaning of level of access? ›

Access levels are permission sets that allow members to perform different tasks within an organization. By assigning organization members to access levels, you determine the information they can see and actions they are allowed to perform. Important: Access levels are not system roles.

Read On
What is the access level? ›

Access level is

[a] measure of the rights that a user has to view or edit an item. Access levels are calculated separately for every user and every item. [t]he hierarchical portion of the security level used to identify the sensitivity of data and the clearance or authorization of users.

Tell Me More
What is a user access level? ›

User access levels define what information the different users on your account can access and edit. They are particularly important for when you want to keep your employees' hourly rates confidential.

Know More
Top Articles
Sourdough Pie Crust Recipe
How To Convert Any Recipe To The Instant Pot Pressure Cooker
Grandes movimentos para petróleo, ouro e títulos após o sucesso de bilheteria dos EUA Relatório |Negócios da CNN
A inflação aumentada cria uma luta de alto risco em Washington |Negócios da CNN
Latest Posts
35 Best Pie Recipes Ever: Perfect For Christmas And Special Holidays
5:2 Diet & Weight Watchers Breakfast, Brunch or Lunch: Spinach and Poached Egg Muffins Recipe
Article information

Author: Van Hayes

Last Updated:

Views: 6511

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Van Hayes

Birthday: 1994-06-07

Address: 2004 Kling Rapid, New Destiny, MT 64658-2367

Phone: +512425013758

Job: National Farming Director

Hobby: Reading, Polo, Genealogy, amateur radio, Scouting, Stand-up comedy, Cryptography

Introduction: My name is Van Hayes, I am a thankful, friendly, smiling, calm, powerful, fine, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.