Index Access and Advanced Search Filters
When you create a role, you can restrict access to data in logs using advanced search filters, and you can also restrict access to the indexes you specify. This ensures that users only see the data they are supposed to.
Follow this process to restrict access using advanced filters and indexes:
- Identify the dataset you would like to control access to. Test it out using a search query.
- When you create a role, define the dataset to give access to using advanced search filters and index access.
- Verify the dataset access is correct using emulation.
- Assign the role to the relevant users.
Configure advanced search filter options
When you create a role, an advanced filter allows access only to the logs that match the search filter.
- Go to Administration > Users and Roles > Roles.
- Click + Add Role on the upper right side of the page. The Create New Role pane displays.
- Select one of the following to create a filter that allows access to only the logs that match the defined conditions. You can create only one filter for each.
- Log Analytics data filter. This filter applies to all the partitions and Live Tail.
- Audit data filter. This filter applies to all the logs in Audit Indexes and Live Tail. For example, you could include filters for
sumologic_audit_events
,sumologic_search_events
,sumologic_search_usage_per_query
, orsumologic_system_events
, to name a few. - Security data filter. This filter applies on all logs in Cloud SIEM security indexes.
- Enter search criteria in the box provided. For examples, see Understanding search filters.
Advanced filter examples
Following are examples for advanced filtering:
- Let’s say you want to deny access to all logs that contain
error
in log analytics, and containmalicious=high
in security logs. Select Log Analytics data filter and add!error
to the filter, and then select Security data filter and add!malicious=high
to the filter. - Let’s say you want to deny access to all error logs in log analytics, and deny access to all audit indexes. In this case, you will have to create two roles. For role 1, select Advanced filter > Log Analytics filter and add
!error
to the filter. For role 2, select Index Access > Deny few indexes and select all audit indexes.
Keep in mind that these are examples only, and you must adapt them for use in your environment. For more filter examples, see Construct a Search Filter for a Role.
Configure index access
An index filter allows or denies access to search indexes.
- Create a role.
- In the Create New Role pane, navigate to Index Access.
- Select one of the following:
- All indexes. Allow access to all indexes.
- Allow few indexes. Allow access to only the selected indexes.
- Deny few indexes. Deny access to the selected indexes.
- If you choose Allow few indexes or Deny few indexes, choose the indexes in the Select Indexes box that appear.
Index filter example
For example, let’s say you want to deny access to partition and security indexes. In our example environment, the accessLogs
and authenticationLogs
indexes give access to partitions, and the “sec_*” indexes give access to security information. To deny access to these indexes, click Deny few indexes and select those indexes.
Test search filters
- Go to Administration > Users and Roles > Roles.
- Select a role with search filtering defined.
- Click Emulate log search. The search will be emulated for the search filters defined in the role. (In the example below, an index search filter is defined.)
- Enter your search parameters in the log search emulation window. The search will return only what is allowed by search filters defined in the role.