We use custom-built roles for different groups who use Splunk. Typically the users in their role are restricted to certain indexes, and further restricted to what hosts they can see by using tags (hosts are tagged by the tags associated with the roles that are allowed to see them). Our Palo Alto logs are in their own pan_index and only certain people in our IT Security group are allowed access to that index with their role. However, it seems that this does not extend into the Palo Alto Networks app for Splunk. It seems that anyone that can login can open the app and see things in the Incident Investigation Feed (_time, log_subtype, threat_name, severity, action, app, client_ip).
I'm wondering why that is so? Is there a way to restrict who can use the app?
↧