Splunk SIEM
Splunk User Education and Role-Based Access Control (RBAC)
Skill and Policy Gaps
Many of the underlying root causes of most of the findings detailed elsewhere in this document are due to skills gaps and a lack of enforcement of policies to prevent those skills gaps from negatively impacting the environment. A combination of uplifting the skills of people who interact with Splunk and enforcement of policies and capabilities concurrent with the individuals' skills are needed to correct these issues. This will require revisiting current RBAC strategies to ensure proper enforcement of roles and responsibilities.
Training Commensurate to Role
All people who interact with Splunk should be required to have training to support the capabilities granted to them.In all the recommendations listed below, it's recommended that the user start with the FREE classes, which are also typically self-paced. However, your organization should consider which of the instructor-led (and therefore not free), should be included within training budgets.NOTE: The groupings of classes vary slightly from Splunk Education's Certification paths due to the distinction of who should/should not be allowed the ability to save/schedule searches. Your organization may decide it's easier to follow the recommended certification groupings and control the distinction in other ways.
Basic User
This is the entry level role for most users within the Splunk environment. They will have the ability to search data they've been given access to, and to interact with dashboards. They should NOT have the ability to save or schedule searches or edit any knowledge objects. They should provide proof that they've successful completed the following FREE Splunk Education classes before even gaining access to Splunk. Users who currently have this level of access should provide proof of having completed these classes within 30 days or have their access revoked.
Classes Required for Basic User Access:
- What Is Splunk?
- Intro to Splunk
- Using Fields
- Visualizations
- Working with Time
- Comparing Values
- Statistical Processing
- Leveraging Lookups and Subsearches
- Result Modification
Advanced or Power User
These are users who have demonstrated an understanding of search best practices and are thereby granted the ability to save and schedule searches and interact with knowledge objects. To ensure that the Splunk Admin team is not swamped with requests from users to perform these kinds of tasks it's recommended that at least 2 (a primary and backup) power user be designated for each business unit that has access to Splunk. They'll be responsible for ensuring all reporting/alerting/dashboarding needs for the team are developed in ways that best optimizes Splunk resources. They should work collaboratively with the Splunk admin team to ensure that their team's needs are met. They should have already completed all the courses required for the Basic User tier of skills in addition to the following before being granted the ability to save and schedule searches, create dashboard or otherwise edit content within Splunk apps.
Classes Required for Advanced or Power User Access:
- All classes required for Basic User Access
- Scheduling Reports and Alerts
- Introduction to Dashboards
- Dynamic Dashboards
- (optional) Creating Maps
- Search Under the Hood
- Search Optimization
- Correlation Analysis
- Multivalue Fields
- Introduction to Knowledge Objects
- Creating Knowledge Objects
- Creating Field Extractions
- Enriching Data With Lookups
- Data Models
Enterprise Security User
Any people in the organization who will be using Enterprise Security should have already completed all the courses required for the Basic User tier of skills in addition to the following before being granted permission to the Enterprise Security App. Most of the classes for the Advanced or Power User level of access should also be encouraged for these users, although they are not strictly required to successfully interact with ES. These people should work collaboratively with the Enterprise Security Administrators to ensure that all searching, reporting and dashboarding needs are supported to meet the organizations security objectives.
Classes Required for Enterprise Security Users:
- All classes required for Basic User Access
- Introduction to Enterprise Security
- Using Enterprise Security
Enterprise Security Administrator
Any people in the organization who will be managing components related to Enterprise Security, including data models, managing risk assessments, and customizing threat intelligence should have already completed all the courses require for the Enterprise Security User role along with the following classes. It is not strictly required, but highly recommended that people with this role also have taken several (if not all) of the Splunk System Administrator courses, as there's overlap in understanding how ES interacts with the overall system and architecture. This group should work collaboratively with the Splunk System Administrators to ensure that ES has the resources it needs to function properly and to meet the organizations security objectives.
Classes Required for Enterprise Security Administrators:
- All classes required for Enterprise Security Users
- All classes required for Advanced or Power Users
- Administering Splunk Enterprise Security
Full list of classes that overlap with Splunk System Administrator requirements, if that recommendation is followed: (optional) Splunk Enterprise Security Certified Admin
Splunk System Administrator
These are the people responsible for daily operations and maintenance of the Splunk solution from end-to-end. They should work collaboratively with the other user groups to ensure required data is onboarded in a timely manner and parsing of the data meets the search needs of the users. Most of the time this will involve normalizing to the Splunk Common Information model (CIM) but may also involve helping the Advanced/Power users develop custom data models. They should also regularly audit user activity and identify areas where performance improvements could be made and enforcement of best-practices standards.
Users in this position should already be Splunk Enterprise Certified Admin or Splunk Cloud Certified Admin (depending on the environment). Alternatively, if they are on the learning path but have not yet completed all the courses, they should be mentored by individuals in the organization who are already Splunk System Administrators or Architects.
Splunk Enterprise Architect
These are the people who "own" how Splunk functions within the organization from a technical point of view. They should fully understand best practices and the ability to deploy, manage and troubleshoot the Splunk environment. They should work with the user community to ensure that current needs are being met and with the management up-chain to ensure Splunk's well positioned to support future grown needs and business objectives. Users in this position should already be Splunk Enterprise Certified Architects.
Splunk Core Certified Consultant (optional)
For organizations that want to build in-house skills rather than hire Professional Services on a per-hour basis, the Splunk Core Certified Consultant coursework is now available. This is particularly useful and recommended for the extremely large Splunk environments (nearing 1+PB/day in size) or for organizations with highly complex Splunk environments (mulit-site clusters, federated environments, hybrid on-prem/cloud architectures).
RBAC Policies and Adjustments
Under this schema of controlling who has the ability to save/schedule searches the following adjustments may be necessary to your RBAC policies.
- Determine internal policies/procedures needed to ensure users have completed the required training or otherwise demonstrated commensurate skills before they are granted permission into Splunk or their level of access within Splunk is approved for change.
- Adjust Splunk roles/SAML groups to delineate between basic users and advanced/power users.
- This change should only impact what Splunk capabilities a user has, not the data which they can access.
- While the basic user/advanced user distinction should mostly mimic the "user" and "power" roles, keep in mind that by default, Splunk's "user" role comes with access to all the data and that is inherited by the "power" role.
- It's recommended that a custom "<org>_user" and "<org>_power" role be created with NO access to data that controls just the capabilities. Since these are custom, the organization can choose to be either more strict or more lenient than the Splunk defaults.
- Review the permissions set on all apps and TAs to ensure that users with the basic user role(s) do not have write access to any apps. The "power" role(s) should have write capabilities to only the app(s) they're responsible for supporting.
- Search to view all apps and related permissions:
Additional Readings
Splunk SIEM
Understanding Splunk Cloud: Capabilities and Related Solutions
Splunk SIEM
Splunk Enterprise: Architecture, Features, and Capabilities
Splunk SIEM
Splunk Enterprise Security: Use Cases, Features, and Process
Splunk SIEM
What is Splunk Phantom (Renamed to Splunk SOAR)?
Splunk SIEM
8 Splunk Security Solutions and How to Secure Splunk Data
Splunk SIEM
Splunk Security Cloud: Product Editions and Professional Services
Splunk SIEM
Part 1: CI/CD Pipelines Efficiently Delivers the Most Accurate and Updated Security Content
Splunk SIEM
Part 2: How Workflow Influences CI/CD Process