Splunk Enterprise

00:00

Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a lab to go over how you can create a user and a role within Splunk. So pretty straightforward. But we'll just get started. We're gonna be dealing with splints, native authentication.

00:18

So we'll go to settings

00:20

users.

00:22

Andi, we'll create a new one,

00:25

and you can see here. We need to assign a roll down here. So let's just go over this really quick. So first, you to sign a name if you want to. You could set a full name email address. You have to set a password. Obviously, if you want to set these preferences, you can. But you also don't have to do that. And that couldn't be changed later as well.

00:44

And then you select a role for that user to belong to. We're not going to use the default rules, So we're actually gonna back out of creating this user and first go create a new role based off of one of these,

00:58

and then we'll come back and make our user and assign them to that role. So it's cancelled out of here

01:04

go to roles

01:07

and we'll add new.

01:08

So the very first thing you get to do is inherit from a roll if you want to, you don't have to do this, but it gives you a quick baseline level of capabilities, which is basically just Splunk word for privileges that will be associate with it. So I tend to not

01:29

use the default roles and you're not really supposed Teoh. I think, uh,

01:34

if the tests asked you anything about using default rolls, you should specify that you should create your own roles based off of them.

01:42

So, for example, let's make a new admin role, so we'll create.

01:49

We'll go select Admin is our baseline. And so, as you can see, it will automatically add these and the ones that come from the role will say inherited next to him. And then you can feel free to add additional rolls if you want.

02:07

So I'm gonna make one that has the delete by keyword, uh, capability as well is everything else and I'm gonna make this, like my absolute like master roll that no one should ever really use them.

02:24

So then you can specify which indexes you want them to be able to search. And the trick here

02:32

is you can you have to specify both included and default. And so what this means is, if you ever these, you'll be able to see these are going to be the ones that they're allowed to search on. And then these air going to be the ones that when they commit a search without specifying index,

02:50

these will be the search, or these will be the indexes that gets surged.

02:53

So generally, if I have an admin role, I'm gonna have all internal be my default so you can just run a keyword search and you'll check all internal indexes and then I'll allow them to see all non internal or I'm sorry.

03:10

I want non internal to be my default. And I want all internal and all non internal to be searchable.

03:19

Then we can see if we want Teoh apply any restrictions you can. So

03:24

there's a couple options here you can you can use basically search logic to say what you don't want this user to be able to see. I've

03:37

I never really used this, Um,

03:43

but if you can think of a security application for why you

03:46

like I don't want a certain user to see something. This is just one option that's available to you. Teoh

03:53

Till apply in addition to restricting what indexes they can see, so it's worth checking out. It's worth knowing that this feature exists, but how much mileage you get out of it? Might very.

04:08

And then, if you want Teoh for the role, you can set a default app. This could be really cool if you make workspace apse, which is basically just a dedicated spot for certain groups of users to use. Like you could make a security app. Or you could make like a Windows admin zap or something,

04:27

and just a place to, like, keep them containerized kind of within Splunk.

04:31

So this could be kind of cool. If you want to do that, you could just set search. And then this is if you want to set any kind of limitations on their actual search running abilities, which could be really valuable in terms of like limiting how impactful a given user can be

04:50

on the system performance

04:56

that will just make a name for this and we'll call this, um

05:02

mm what's a fun name. Admin is boring. Let's let's call this one Superman. So this is like our this canoe everything kind of role. So we'll create it.

05:14

And now we will make a new user

05:16

that belongs to that. So users

05:20

new user and won't call. This

05:25

are

05:28

E. I was gonna call it Superman User, but I'm just not call new user.

05:33

And, you know,

05:36

in this case, the name is pretty arbitrary. Doesn't really matter. Will make searching, reporting or default app. I'm in Eastern time, so

05:46

I'll set this to Eastern time

05:47

and we'll get rid of the user capability and, well, Adam toe are Superman role and safe. And so now this guy's created.

05:56

So if I were to log out,

05:59

I'll be able Teoh. Now log in a lips.

06:03

He's not super ran his new user on

06:08

or super secure password.

06:14

Oh, and I apparently left the box checked for require a new password on log in, which could be good because obviously, since I set the password, I know what it is, and that's no longer that secure.

06:27

So that could be a nice security feature. If you want Teoh,

06:32

be cognizant of that

06:34

cool, but yeah. So that is how you can create a new local Splunk user and a new role. So

06:43

that's at a high level. Everything you need to know about that if you get into Mawr Enterprise environments where you're dealing with using some of the more complicated

06:55

authentication mechanisms like L DAP, you'll have to go through another,

07:00

uh, exercise for doing that splits. Documentation is pretty good, and it's and setting it up is like,

07:06

not super complicated. But you do need a sample, um,

07:12

loggers or or some sort of information about your, like l dap configuration or active directory configuration so that you can fill in like all the bind and all the all the configurations they ask for.

07:28

But, um,

07:30

and then once you do that, you also map

07:33

basically a D rolls to Splunk roles. So that process is a little more complicated, and unfortunately, we're not gonna be able to get into it in this course. But just be aware that

07:44

that is something you may have to dio. So if you have a test environment available Teoh that can connect to a active directory environment, it would definitely be worth going through that exercise if you have the chance. But aside from that, that's everything you need to know. For

08:03

this the exam in terms, off