Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on versions 7.x and earlier, see Splunk Enterprise Security 7.x documentation.

Pair Splunk Enterprise Security with Splunk SOAR

For automation functionality that lets users run actions, run playbooks, and review automation history in Splunk Enterprise Security, pair your Splunk Enterprise Security instance with your Splunk SOAR (Cloud) instance.

Splunk Enterprise Security currently pairs with the cloud version of Splunk SOAR.

Licensing

Splunk SOAR (Cloud) automatically pulls a license from your pool of available Splunk SOAR (Cloud) licenses when a Splunk Enterprise Security user interacts with Splunk SOAR (Cloud) automation. Be sure that you have enough available Splunk SOAR (Cloud) licenses for Splunk Enterprise Security users in their associated Splunk SOAR role. For details on licensing, see View your Splunk SOAR (Cloud) license.

Prerequisites

Address these points in Splunk Enterprise Security, Splunk SOAR (Cloud), and Splunk Cloud Platform before you begin pairing.

In Splunk Enterprise Security

  • Obtain the host name for your Splunk Enterprise Security instance and have it nearby.
  • Configure roles that you want to map to Splunk SOAR (Cloud) roles to inherit the soar_user capability. This process is required for Splunk Enterprise Security roles to appear in the Role mapping page at the end of the pairing process.
    1. In Splunk Enterprise Security: Open the Settings menu. In the Users and Authentication section, select Roles.
    2. On the Roles page, select the desired role, for example ess_analyst.
    3. On the Edit Role ess_analyst page, select the 2. Capabilities tab. Select the checkboxes for the following capabilities, then select Save.
      • - soar_user
      • - es_soar_settings_admin This capability is also required for Splunk Enterprise Security versions 8.0.0. and 8.0.1
    4. Repeat this process for any additional roles, such as ess_admin and ess_user.

In Splunk SOAR (Cloud)

Contact your Splunk SOAR (Cloud) administrator for the following information:

  • Obtain the following information about your Splunk SOAR (Cloud) instance and have it nearby:
    • IP address
    • Host name
    • Login credentials (username and password)
  • Verify that the Splunk Enterprise Security IP address is on the Splunk SOAR (Cloud) allow list, if the allow list is specified.

In Splunk Cloud Platform

Before pairing, you must include the Splunk SOAR (Cloud) IP address in multiple sections of the Splunk Cloud Platform IP allow list.

Check to see if the Splunk SOAR (Cloud) IP address is already included in the Splunk Cloud Platform IP allow list in each of these sections:

  • Search head API access
  • IDM API
  • Search head UI access

If needed, add the Splunk SOAR (Cloud) IP address to each of these sections. For details, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.

Perform pairing

To pair Splunk Enterprise Security with Splunk SOAR (Cloud), follow these steps:

  1. Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
  2. Select Start pairing.
  3. On the Pairing and testing page, enter the information for your Splunk SOAR (Cloud) administrative account that you obtained from the Splunk SOAR (Cloud) administrator.

    The credentials you provide are used only during the pairing process. They are not stored here. Pairing is not affected by password changes or password rotation.

    The following credentials are required:
    • host name
    • username and password
  4. Review the displayed Splunk Enterprise Security host name.
    • If the displayed host name is correct, move on to the next step.
    • If your Splunk Enterprise Security host name is different, replace the displayed host name with the actual host name of your Splunk Enterprise Security deployment.
  5. Select Next to test the connection between Splunk Enterprise Security and Splunk SOAR (Cloud).
    • If the connection is successful: The next step, Role mapping, appears. Proceed to Step 5 in this section.
    • If there is an issue: Read the message provided and address the issue. Then select Next to test the connection again.
      Possible issues include:
      • Your Splunk SOAR (Cloud) version is not compatible with this version of Splunk Enterprise Security. Contact your Splunk SOAR (Cloud) administrator about upgrading your Splunk SOAR (Cloud) deployment.
      • The credentials you entered are not correct. Contact your Splunk SOAR (Cloud) administrator to verify the Splunk SOAR (Cloud) credentials.
      • The Splunk Enterprise Security IP address is not included in the Splunk SOAR (Cloud) allow list. Ask your Splunk SOAR (Cloud) administrator to contact Splunk Support to update the allow list.
  6. On the Role mapping page, map a Splunk platform role, like admin, to the Splunk SOAR (Cloud) role Administrator.
  7. If you are primarily using Splunk SOAR (Cloud) for Splunk Enterprise Security findings and investigations, configure these basic role mappings:
    Splunk Enterprise Security Role Splunk SOAR (Cloud) Role
    ess_admin Automation Engineer
    ess_analyst Incident Commander
    ess_user Observer
    If you have existing Splunk SOAR (Cloud) use cases and data before ever pairing with Splunk Enterprise Security, you might want to create custom roles with more limited access to your Splunk SOAR (Cloud) data. Follow the steps in the next section of this article, Map custom roles.
  8. Select Finish pairing.
  9. On the Pairing page, confirm that the message states that Splunk Enterprise Security is paired with Splunk SOAR (Cloud).

Map custom roles

This section is intended only for users who did not perform the basic role mapping in the previous section.

The roles mapped above can view all of your Splunk SOAR (Cloud) data. If your Splunk SOAR (Cloud) deployment already has a lot of existing use cases and data, you might want to restrict which roles can see your Splunk SOAR (Cloud) information. In this case, you can create custom roles that can see only the Splunk Enterprise Security data within your Splunk SOAR (Cloud) deployment.

To create custom Splunk SOAR (Cloud) roles to map to your Splunk Enterprise Security roles, follow these steps after you have successfully completed the pairing process in the previous section.

  1. Log into Splunk SOAR (Cloud) using the admin role you mapped during the pairing process.
  2. In the Home menu, select Administration, then User Management, then Roles & Permissions.
  3. Select + Role to create a new role. You will repeat this process for each role you want to add.
  4. Specify a role name and, optionally, a role description.
  5. Select the Basic permissions and Label permissions tabs and assign permissions based on the type of role you want to add. This table describes three types of roles you might want to use with Splunk Enterprise Security, in increasing level of permissions. Differences from one row to the next are shown in bold.
    Role type Basic permissions tab settings Label permissions tab settings
    View-only analyst
    Can view automation     		Apps: View
    Assets: View
    Events: View
    Custom Lists: View
    Playbooks: View
    Users & Roles: View
    		 es_soar_integration: View
    Automation analyst
    Can view automation, run actions, run playbooks, and respond to prompts.     		Apps: View
    Assets: View
    Events: Edit
    Custom Lists: View
    Playbooks: Execute
    Users & Roles: View
    		 es_soar_integration: Edit
    Playbook author
    Can view, run, create, and delete playbooks     		Apps: View
    Assets: View
    Events: Edit
    Custom Lists: View
    Playbooks: Delete, Edit, Edit Code
    Users & Roles: View     		es_soar_integration: Edit
  6. Select Create Role.
  7. To create additional roles, return to step 3 and repeat the process.
  8. Now you will map these roles to Splunk Enterprise Security roles.
    In Splunk Enterprise Security: From the Configure menu, select Splunk SOAR. On the Splunk SOAR (Cloud) configuration page, select Pairing.
  9. Select Edit Role Mapping. Map each new role you just created in Splunk SOAR (Cloud) to a Splunk Enterprise Security role. This table provides role mapping suggestions.
    Splunk Enterprise Security Role Splunk SOAR (Cloud) Role
    ess_user View-only analyst
    ess_analyst Automation analyst
    ess_admin Playbook author
  10. Select Save.
  11. Confirm that your roles are mapped correctly.

Verify pairing Splunk Enterprise Security with Splunk SOAR (Cloud)

To verify that Splunk Enterprise Security is paired with Splunk SOAR (Cloud), follow these steps:

  1. Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
  2. On the Pairing page, confirm that:
    • the first message states that Splunk Enterprise Security is paired with Splunk SOAR (Cloud)
    • the Configuration details section includes a list of role mappings

Unpair Splunk Enterprise Security from Splunk SOAR (Cloud)

You might want to unpair Splunk Enterprise Security from Splunk SOAR (Cloud) if you are switching out or performing maintenance on your Splunk SOAR (Cloud) server.

Unpairing affects people who are using Splunk Enterprise Security; users will not be able to run actions, run playbooks, or review automation history.

Unpairing does not delete existing playbooks in Splunk SOAR (Cloud).

To unpair Splunk Enterprise Security from Splunk SOAR (Cloud), follow these steps:

  1. Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
  2. On the Pairing page, select Unpair. When prompted, select Unpair to confirm that you want to unpair.
    Wait for the unpairing process to complete.

The Pairing page displays. There, you can review the pairing history or choose to pair again.

See also

Last modified on 10 January, 2025
Configure per-panel filtering in Splunk Enterprise Security   Turn on debug logging in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters