Greetings,
I have read through the Knowledge Manager Manual on summary indexes, but am left with a question for my usecase. Our environment aggregates the internet connection for many departments into one pipe out. The Departmental users want to review these logs, but I don't want them seeing outside the walls of that department. We segment our internal network by IP range, so Dept A would have an IP of 10.1.0.0 and Dept B has 10.2.0.0 etc.
So I would like to take our `index=pan_logs src_ip=10.1.*` and send that to a summary index of pan_dept_a. I would then grant the deptA group access to that summary index and that is how they could search for Palo Alto firewall data w/o accessing Dept B traffic logs on the pan_logs index.
Does this make sense and more importantly, conceptually, will it work?
Thanks!
↧