Splunk® Phantom (Legacy)

Administer Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Use whitelist to grant authorized access

The whitelist is enabled by default. Use this setting to toggle whether the Authorized section is visible in the Investigation screen's HUD.

The Authorized control for managing the whitelist appears in the Investigation screen if the whitelist is turned on. The control appears in the HUD, accessed by using the double-down chevron pull-down tab.

Access the HUD and Event Info by doing the following:

  1. Click the double-down chevron.
  2. Click the right arrow ( > ) next to Event Info.

The Authorized control is located in the People section.

This toggle is available for viewing and editing if your role has view and edit permissions for the system settings. See Manage roles and permissions in Splunk Phantom for more information about roles and permissions.

Disable the whitelist by doing the following:

  1. From the main menu, select Administration.
  2. Select Event Settings > Whitelist.
  3. Click the Enable Whitelist toggle to the Off position.

Once disabled, the Authorized section is no longer visible in Investigation. Reenabling the whitelist makes the Authorized section visible in Investigation and also reenables the authorized access that was previously configured.

Authorized access might not be available for every user in the system by default. Authorized access can only be granted to the subset of users who are already assigned to a label that has edit permissions on the container. For example, some teams only want to allow certain people to work on particular types of cases. Not every user assigned to a label needs access to a particular case.

Grant authorized access by doing the following in Investigation:

  1. Expand the Event Info collapsible section of a container.
  2. Click the edit icon in the Authorized section.
  3. From the Authorized Users drop-down list, select the names of the people who need access.

The Authorized section is visible if you have basic permissions for events with view selected. The Authorized Users drop-down list is editable if you have label permissions for events with view and edit selected.

Administrators always have access to all containers. Normally, you don't need to authorize them. However, if you want to restrict a container to administrators only, set Administrators in the Authorized Users list. Setting specific user names will enable the specific users and administrators.

Last modified on 08 June, 2020
 

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters