scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Part 3: Augment your SIEM
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
Powered by GitBook
On this page
  • Overview
  • Key Concepts
  • How RBAC Works in Scanner
  • Default Roles
  • Managing RBAC in Scanner
  • Auditing user actions

Was this helpful?

  1. Using Scanner

Role-Based Access Control (RBAC)

Overview

Scanner implements Role-Based Access Control (RBAC) to manage permissions securely and efficiently. RBAC restricts access to system resources based on predefined roles assigned to entities—referred to as actors—such as Users, API Keys, and, in the future, any other entity capable of interacting with Scanner. This ensures that actors can only perform actions and access data relevant to their responsibilities, enhancing security, simplifying administration, and supporting scalability as your organization grows.

In Scanner, RBAC is designed to be flexible yet robust, allowing administrators to define roles, assign them to actors, and control access to features like running search queries, managing detection rules, and system configuration.

Key Concepts

  • Roles: A role represents a set of permissions that define what an actor can do within Scanner. Examples might include admin, analyst, user.

  • Permissions: Specific actions or access rights tied to a role.

  • Resources: The entities that actors may act upon, like Indexes, Detection Rules, and Synced Github Repositories.

  • Actors: Entities assigned to one or more roles. Currently, actors include:

    • Users: Individuals interacting via the UI.

    • API Keys: Programmatic access tokens used for automation or integrations.

    • Future Actors: Any additional entities (e.g., service accounts, bots) that may interact with Scanner as the system evolves.

How RBAC Works in Scanner

  1. Role Definition Administrators create roles within Scanner via the Admin Console. Each role is associated with a set of permissions that dictate what actions actors can take. For example:

    • admin: Full access to all features, including user management and system settings.

    • user: Can initiate queries and view results but cannot modify configurations.

  2. Actor Assignment Actors—Users, API Keys, or future entities—are assigned to one or more roles.

  3. Permission Enforcement When an actor interacts with Scanner (e.g., a User logs in or an API Key triggers a query), the RBAC system evaluates their role(s) and associated permissions. Access is granted or denied based on these rules. For instance:

    • A user attempting to query the _audit index is denied because their role lacks the Query permission on the _audit index.

    • An API Key with the admin role can perform any action programmatically.

Default Roles

Scanner provides the following built-in roles to get you started. These can be customized or supplemented with custom roles as needed:

Role
Description
Permissions

admin

Full control over Scanner

All actions (e.g., manage users, configure system, run search queries)

user

Read-only access

Cannot view data by default, give permission to specific indexes.

Managing RBAC in Scanner

Admin Interface

Administrators can manage roles, permissions, and actor assignments through the Settings > Roles UI.

Creating Roles: Define a new role and assign permissions.

Assigning Members: Link actors like Users and API Keys to roles. For example, an API Key for your SOAR might be assigned the analyst role for automated querying on specific indexes.

Modifying Permissions: Update what a role can do, like managing the Team, interacting with Indexes, managing API Keys, managing Detection Rules, and integrating Synced Repositories from GitHub.

Auditing user actions

Admins and other users with appropriate permissions can query the _audit index to monitor and review actions taken by Users, API Keys, or other actors within Scanner. This index logs details such as who performed an action, what action was taken (e.g., starting a query, modifying a detection rule), and when it occurred. By querying the _audit index—via the Search UI or via the Ad-Hoc Search API—authorized users can track usage patterns, troubleshoot issues, or ensure compliance with organizational policies.

Further documentation:

  • Built-in Indexes - _audit

  • Ad-hoc Search Queries API

Previous_auditNextBeta features

Last updated 2 days ago

Was this helpful?