![]() ![]() Lets users run any custom search command. The following table shows the new capabilities and the actions that they grant: The "user" and "power" roles receive the capabilities automatically, but if you are a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. In versions and higher of Splunk Cloud Platform and 9.0.0 and higher of Splunk Enterprise, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. New capabilities can limit access to some custom and potentially risky commands Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data by running the commands. Here is the list of search commands in that are classified as risky. ![]() When a search contains the risky command, the Splunk platform raises a warning to advise of the potential performance effects of the command. Some search commands do not pose security risks, but Splunk includes them in the list of risky commands because of their impact on performance. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands. The malicious person hopes the user will use the link, and the search will run.Ī potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person then sends an unsuspecting user a link to the search. Copying or transferring data, a practice known as data exfiltrationĪ possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data.This warning alerts you to the possibility of either a significant impact to performance or unauthorized actions by a malicious user. The warning does not appear when you create ad hoc searches. In this case, you must click the error icon to invoke the warning. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway. The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be either a security or a performance risk. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |