Index Based and Advanced Search Filters

Beta

You can restrict access to specific data using roles. When you create a role, you can use Search Filter options to extend the existing data access control. You can select Index based filters to allow access to data based on indexes, or you can select Advanced filter to define a dataset to allow access based on search criteria. This ensures that users only see the data they are supposed to.

Follow this process to define a search filter:

1. Identify the dataset you would like to control access to. Test it out using a search query.
2. When you create a role, define the dataset by selecting the indexes through the Index based option, or field-specific filters through the Advanced filter option.
3. Verify the dataset access is correct using emulation.
4. Assign the role to the relevant users.

View the Search Filter options

To see the Search Filter options when you create a role:

1. Go to Administration > Users and Roles > Roles.
2. Click + Add Role on the upper right side of the page. The Create New Role pane displays the Search Filter options.
   

Index based

An index based search filter allows or denies access to search indexes.

1. Create a role.
2. Under Search Filter, select Index based.
3. Select one of the following:
   • All indexes. Allow access to all indexes.
   • Allow few indexes. Allow access to only the selected indexes.
   • Deny few indexes. Deny access to the selected indexes.
4. If you choose Allow few indexes or Deny few indexes, choose the indexes in the Select Indexes box that appear.
   

Index based filter example

For example, let’s say you want to deny access to partition and security indexes. In our example environment, the accessLogs and authenticationLogs indexes give access to partitions, and the “sec_*” indexes give access to security information. To deny access to these indexes, click Deny few indexes and select those indexes.

Advanced filter

An advanced filter allows access only to the logs that match the search filter.

1. Create a role.
2. Under Search Filter, select Advanced filter.
3. Select one of the following to create a filter that allows access to only the logs that match the defined conditions. You can create only one filter for each.
   • Log Analytics data filter. This filter applies to all the partitions and LiveTail.
   • Audit data filter. This filter applies to all the logs in Audit Indexes and LiveTail. For example, you could include filters for sumologic_audit_events, sumologic_search_events, sumologic_search_usage_per_query, or sumologic_system_events, to name a few.
   • Security data filter. This filter applies on all logs in Cloud SIEM security indexes.
4. Enter search criteria in the box provided. For examples, see Understanding search filters.
   

Advanced filter examples

Following are examples for advanced filtering:

• Let’s say you want to deny access to all logs that contain error in log analytics, and contain malicious=high in security logs. Select Log Analytics data filter and add !error to the filter, and then select Security data filter and add !malicious=high to the filter.
• Let’s say you want to deny access to all error logs in log analytics, and deny access to all audit indexes. In this case, you will have to create two roles. For role 1, select Advanced filter > Log Analytics filter and add !error to the filter. For role 2, select Index based > Deny few indexes and select all audit indexes.

Keep in mind that these are examples only, and you must adapt them for use in your environment. For more filter examples, see Construct a Search Filter for a Role.

Test search filters

1. Go to Administration > Users and Roles > Roles.
2. Select a role with search filtering defined.
3. Click Emulate log search. The search will be emulated for the search filters defined in the role. (In the example below, an index based search filter is defined.)
   
4. Enter your search parameters in the log search emulation window. The search will return only what is allowed by search filters defined in the role.