splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 15 LAB · LAB 15 — PLAN ROLES & INDEXES· week 3
Plan roles, indexes, and Deployment Server serverclasses.
- ›Define roles: t1, t2, t3, soc_manager, ir_lead.
- ›Map srchIndexesAllowed for each.
- ›Plan retention: wineventlog 90d, sysmon 60d, network 30d, email 180d, notable 365d.
Hint: Least privilege: T1 sees Incident Review + a few indexes; T3 sees everything.
Configure
Saved Searches
No saved searches. Save one from the Search tab.