Assign roles for Splunk App for SOAR
Assign specific roles to administer and view data in Splunk App for SOAR.
Roles for Splunk App for SOAR
The following roles are associated with Splunk App for SOAR, Splunk Enterprise, and Splunk Cloud Platform. Information on assigning the roles appears after this table.
Role name | Description | User type |
---|---|---|
admin
|
Used to write to the appropriate files to configure Splunk App for SOAR to work with Splunk Enterprise and Splunk Cloud Platform. The admin role includes the following capabilities:
|
Administrator |
splunk_app_soar_dashboards
|
Enables a nonadministrative user to view Splunk App for SOAR dashboards. | Nonadministrative user |
phantomsearch
|
Required for remote search. Enables a nonadministrative user to perform remote searches. | Nonadministrative user |
phantomdelete
|
Required for remote search. Enables a nonadministrative user to delete information when performing remote searches. | Nonadministrative user |
Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Enterprise
Perform the following steps to add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user:
- Navigate to the Splunk platform instance where you installed Splunk App for SOAR.
- In Splunk Web, select Settings. In the Users and Authentication section, select Roles.
- Assign the splunk_app_soar role to a user or role. For example, if you want the Analyst role to have Splunk SOAR capabilities, perform these steps:
- For the Analyst role, in the Actions column, select Edit.
- In the Inheritance tab, select the check box next to the splunk_app_soar role. This will cause all users with the admin role to also inherit all privileges from the splunk_app_soar role.
- Repeat the previous steps for the nonadministrative splunk_app_soar_dashboards role and any other roles.
- Select Save.
For additional information on adding roles in Splunk Enterprise, see Add or edit a role in the Securing Splunk Enterprise manual.
When inheriting a role, the inheritance works for one level only. For example, the splunk_app_soar_dashboards role might be inherited by the Analyst role, which in turn is inherited by the User role. The Analyst role would have the splunk_app_soar_dashboards capabilities, but the User role would not, because it is more than one level away from the splunk_app_soar_dashboards role.
Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Cloud Platform
To add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user, follow the instructions in Add or edit a role in the Securing Splunk Cloud Platform manual.
When inheriting a role, the inheritance works for one level only. See detailed note about inheritance in the previous section.
Add the phantomsearch and phantomdelete user accounts
Splunk SOAR requires two user accounts with roles added by the remote search service. Add the roles phantomsearch
and phantomdelete
on your Splunk instance or Splunk Cloud Platform deployment for Splunk SOAR. You can use any user names that you prefer for these accounts. These instructions use phantomsearchuser and phantomdeleteuser as examples.
These instructions are the same for standalone and distributed Splunk Cloud Platform or Splunk Enterprise instances.
Create these accounts on a search head. If you are working in a distributed instance, these users will be replicated to the rest of the cluster automatically. See Add users to the search head cluster in the Splunk Enterprise Distributed Search manual.
For more information on remote search, see instructions for distributed or standalone Splunk Cloud Platform or Enterprise instances.
First, create the user account with the phantomsearch
role:
- In Splunk Web, select Settings, then Users.
- Select New User.
- In the Name field, enter phantomsearchuser.
- Set and confirm a password for this user that complies with your organization's security policies.
- Under Assigned role(s), in the Available item(s) box, select phantomsearch to add that role.
- Under Assigned role(s), in the Selected item(s) box, ensure that the user role is present. If it is not, add it as you did with phantomsearch in the previous step.
- Deselect the Require password change on first login check box.
- Select Save.
Repeat all of these steps for the user account with the phantomdelete
role, with the following specifics:
- In step 3, specify the name phantomdeleteuser.
- In step 5, select phantomdelete to add that role.
- In step 6, optionally delete the user role, which is not required for the phantomdeleteuser user.
Install Splunk App for SOAR on Splunk Cloud Platform | Prepare to configure services for |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.57, 1.0.67
Feedback submitted, thanks!