Who can delete an investigation?

The ability to delete an investigation in Splunk Enterprise Security is typically restricted to ess_admin users. This ensures that only authorized personnel, who usually have overarching control and responsibilities within the system, can remove investigations. This level of restriction is important for maintaining the integrity of security investigations, as it prevents unauthorized modifications or deletions that could compromise ongoing security assessments or audits.

While it might seem that other roles could also have deletion rights, allowing anyone other than ess_admin users to delete investigations can lead to potential mishaps, such as losing crucial investigative data or disrupting the cleanup processes. Therefore, having a focused access control list, where only ess_admin users are empowered to delete investigations, maintains the necessary security posture and minimizes risks associated with data loss.