Role-based access control lockdown for Splunk Enterprise Security

Role-based access control (RBAC) lets administrators control which users can read and interact with data in your environment. One important part of RBAC is the ability to lock down team queues, or restricting access to incident data, attachments, notes, and related information so that only authorized users can view it.

This document explains what lockdown does, how it affects different types of users, and what to expect once it is activated.
Note: Lockdown is entirely optional and is not activated by default. Your environment will continue to work exactly as it does unless an administrator chooses to activate it.

What is lockdown

Lockdown restricts access to the data that powers team queues, case management, and security dashboards. When activated, only administrator-level users can view this data through direct searches. Non-administrator users, such as analysts, will no longer have direct search access, which means dashboards and views that depend on this data will return empty or incomplete results for those users. Lockdown does not remove or alter any data. It only changes who is permitted to see it.

The areas of the product affected by lockdown include:

  • Findings and investigations
  • Notes, attachments, and response templates
  • Cross-referenced data from findings and investigations
  • The notable index, which powers many security dashboards and risk reports

Who should activate lockdown

Lockdown is built around a core idea: a security operations center (SOC) operates as a team, or group of teams, where each team has a defined work queue and a specific set of actions they are allowed to take within it. Analysts work on findings and investigations within their queue through the Splunk Enterprise Security interface. If an issue exceeds what a team can handle or is authorized to resolve, it escalates to the next team up the chain until it is resolved or mitigated.

Lockdown enforces this structure at the data level. It ensures that each team can only access what they are permitted to see through their assigned role and queue, and that raw data from the underlying indexes and collections cannot be retrieved outside of those defined workflows. Lockdown is designed for organizations that need to enforce strict access controls on incident and security data. It is not required.

Consider activating lockdown if:

  • You need to ensure that non-admin users cannot access raw queue data even through indirect means such as lookups or searches.
  • You have reviewed the list of affected collections and indexes.

You do not need to activate lockdown if:

  • Your current user access model is working as intended and you have no requirement to restrict KV Store access by role.
  • Your analysts need to run searches that depend on the notable index or team queue data.

What to expect when lockdown is activated

Once lockdown is activated, the following behaviors apply for each type of user:

User type What's affected
Administrators (admin, sc_admin, mc_admin) No change. Administrators retain full read and write access to all data.
Analysts and non-admin users No change to UI workflows in Splunk Enterprise Security.

Through the Splunk Enterprise Security interface, analysts can still access findings and investigations according to their assigned role permissions. However, they cannot directly read the locked data collections or the notable index.

Any app, dashboard, or automated process that searches this data will return empty results or show incomplete information.

The following table lists the specific collections and indexes restricted by lockdown:

Collection or index What's restricted by lockdown
KV Store collections

  • mc_run_status

  • mc_seca_message_buffer

  • mc_attachments

  • mc_attachments_chunks

  • mc_notes

  • mc_response_templates

  • mc_incidents

  • incident_review

  • es_notable_events

  • notable_xref
Indexes
  • notable
  • test_notable
  • mc_incidents_backup
  • kvcollection_retention_archive
  • mc_events
  • mc_artifacts

Activate lockdown

An administrator can lock or unlock all affected collections and indexes at once without having to configure each one individually.

Follow these steps to activate lockdown:

  1. Log in to the Splunk platform as an administrator.
  2. Select Settings then Data and then Data Inputs.
  3. Open Lock/Unlock KV Collections and Indexes.
  4. Review the listed collections and indexes to confirm what will be restricted.
  5. Activate the modinput to apply the lockdown.

Deactivate lockdown

Lockdown is deactivated by default, but if you activate it, you can revert back at any time.

Follow these steps to deactivate lockdown:

  1. Navigate to Settings then Data and then Data Inputs.
  2. Open Lock/Unlock KV Collections and Indexes.
  3. Deactivate the modinput.
  4. Edit the modinput by unchecking Lock Resources.
  5. Select Save.
  6. Re-activate the input to apply the changes.
  7. Deactivate the modinput again once the changes have taken effect.