Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Pair Splunk Enterprise Security with Splunk SOAR

For automation functionality that lets users run actions, run playbooks, and review automation history in Splunk Enterprise Security, pair your Splunk Enterprise Security instance with your Splunk SOAR instance.

This article contains sections specifically for Splunk SOAR (Cloud) and Splunk SOAR (On-premises). If a section is not labeled, it pertains to either deployment type.

Licensing

Follow the instructions for the appropriate Splunk SOAR deployment.

Splunk SOAR (Cloud)

Splunk SOAR (Cloud) automatically pulls a license from your pool of available Splunk SOAR (Cloud) licenses when a Splunk Enterprise Security user interacts with Splunk SOAR (Cloud) automation. Be sure that you have enough available Splunk SOAR (Cloud) licenses for Splunk Enterprise Security users in their associated Splunk SOAR role. For details on licensing, see View your Splunk SOAR (Cloud) license.

Splunk SOAR (On-premises)

Check that your Splunk SOAR (On-premises) license meets these two criteria, so you can pair with Splunk Enterprise Security:

  • current
  • not a community license

Prepare to pair

Address these points in Splunk Enterprise Security, Splunk SOAR, and Splunk Cloud Platform before you begin pairing.

In Splunk Enterprise Security

To see the pairing page and perform pairing or unpairing, you must have the appropriate role for your Splunk deployment type:
Splunk (Cloud): sc_admin role
Splunk (On-premises): admin role

  • Obtain the host name for your Splunk Enterprise Security instance and have it nearby.
  • Configure roles that you want to map to Splunk SOAR roles to inherit the soar_user capability. This process is required for Splunk Enterprise Security roles to appear in the Role mapping page at the end of the pairing process.
    1. In Splunk Enterprise Security: Open the Settings menu. In the Users and Authentication section, select Roles.
    2. On the Roles page, select the desired role, for example ess_analyst.
    3. On the Edit Role ess_analyst page, select the 2. Capabilities tab. Select the checkboxes for the soar_user capability, then select Save.
    4. Repeat this process for any additional roles, such as ess_user.

In Splunk SOAR

Contact your Splunk SOAR administrator for the following information:

  • Obtain the following information about your Splunk SOAR instance and have it nearby:
    • IP address
    • Host name, including the port number if you are not using port 433, the default HTTPS port (For example, https://my-soar.com:1234/)
    • Login credentials (username and password)
  • Verify the following criteria with your Splunk SOAR administrator:
    • The Splunk Enterprise Security IP address is on the Splunk SOAR allow list, if the allow list is specified
    • The Splunk SOAR SSL certificate is valid and configured
    • The Splunk SOAR port is open

Splunk SOAR (On-premises): Upload certificates

Splunk Enterprise Security requires a valid SSL certificate to communicate with Splunk SOAR (On-premises).

If you are pairing with Splunk SOAR (Cloud), proceed to the next section.

To upload a Splunk SOAR (On-premises) SSL certificate, follow these steps:

  1. If you are installing for the first time, proceed to the next step.
    If you have an existing certificate from a previous configuration, make a backup copy of the existing certificate file, $SPLUNK_HOME/etc/apps/missioncontrol/certificates/soar_cert_bundle.pem file.
  2. Create or edit the existing $SPLUNK_HOME/etc/apps/missioncontrol/certificates/soar_cert_bundle.pem file and add your PEM-formatted certificate to the end of the file. This is the PEM or CRT file from the default Splunk SOAR certificate or your own certificate. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise. You can add multiple Splunk SOAR root CA certificates to $SPLUNK_HOME/etc/apps/missioncontrol/certificates/soar_cert_bundle.pem.
  3. (Cluster deployments only) To automatically distribute SSL certs across search heads, load the certificate to the Cluster Deployer node, as described in the previous step, but use this directory for the deployer: $SPLUNK_HOME/etc/shcluster/apps/missioncontrol/certificates/soar_cert_bundle.pem. After you have loaded the certificate, you must replicate it to all nodes. You can use Splunk Deployer to automatically replicate this file. For details, refer to Deploy a configuration bundle in the Use the deployer to distribute apps and configuration updates article of the Splunk Enterprise documentation.

In Splunk Cloud Platform

Ensure that Splunk Cloud Platform and Splunk SOAR can communicate with each other, including having all required Enterprise Security ports open.

Check to see if the Splunk SOAR IP address is already included in the Splunk Cloud Platform IP allow list in each of these sections:

  • Search head API access: for all stacks
  • IDM API: only for HIPAA or PCI compliance stacks
  • Search head UI access: only for HIPAA or PCI compliance stacks

If needed, add the Splunk SOAR IP address to each of these sections. For details, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.

Perform pairing

To pair Splunk Enterprise Security with Splunk SOAR, follow these steps:

  1. Log into Splunk Enterprise Security with the sc_admin role. From the Configurations page, select Splunk SOAR, then Pairing.
  2. Select Start pairing.
  3. On the Pairing and testing page, enter the information for your Splunk SOAR administrative account that you obtained from the Splunk SOAR administrator.

    The credentials you provide are used only during the pairing process. They are not stored here. Pairing is not affected by password changes or password rotation.

    The following credentials are required:
    • host name
    • username and password
  4. Review the displayed Splunk Enterprise Security host name.
    • If the displayed host name is correct, move on to the next step.
    • If your Splunk Enterprise Security host name is different, replace the displayed host name with the actual host name of your Splunk Enterprise Security deployment.
  5. Select Next to test the connection between Splunk Enterprise Security and Splunk SOAR.
    • If the connection is successful: The next step, Role mapping, appears. Proceed to Step 5 in this section.
    • If there is an issue: Read the message provided and address the issue. Then select Next to test the connection again.
      Possible issues include:
      • Your Splunk SOAR version is not compatible with this version of Splunk Enterprise Security. Contact your Splunk SOAR administrator about upgrading your Splunk SOAR deployment.
      • The credentials you entered are not correct. Contact your Splunk SOAR administrator to verify the Splunk SOAR credentials.
      • The Splunk Enterprise Security IP address is not included in the Splunk SOAR allow list. For Splunk SOAR (Cloud), ask your Splunk SOAR (Cloud) administrator to contact Splunk Support to update the allow list.
      • The Splunk SOAR IP address is not included in the Splunk stack allow list. Contact your Splunk administrator.
  6. On the Role mapping page, map a Splunk platform role, like ess_analyst, to the Splunk SOAR role Incident Commander.
  7. If you are primarily using Splunk SOAR for Splunk Enterprise Security findings and investigations, configure these basic role mappings:
    Splunk Enterprise Security Role Splunk SOAR Role
    mc_admin Automation engineer
    ess_analyst Incident commander
    ess_user Observer
    If you have existing Splunk SOAR use cases and data before ever pairing with Splunk Enterprise Security, you might want to create custom roles with more limited access to your Splunk SOAR data. Follow the steps in the next section of this article, Map custom roles.
  8. Select Finish pairing.
  9. On the Pairing page, confirm that the message states that Splunk Enterprise Security is paired with Splunk SOA).

Map custom roles

This section is intended only for users who did not perform the basic role mapping in the previous section.

The roles mapped above can view all of your Splunk SOAR data. If your Splunk SOAR deployment already has a lot of existing use cases and data, you might want to restrict which roles can see your Splunk SOAR information. In this case, you can create custom roles that can see only the Splunk Enterprise Security data within your Splunk SOAR deployment.

To create custom Splunk SOAR roles to map to your Splunk Enterprise Security roles, follow these steps after you have successfully completed the pairing process in the previous section.

  1. Log into Splunk SOAR using the admin role you mapped during the pairing process.
  2. In the Home menu, select Administration, then User Management, then Roles & Permissions.
  3. Select + Role to create a new role. You will repeat this process for each role you want to add.
  4. Specify a role name and, optionally, a role description.
  5. Select the Basic permissions and Label permissions tabs and assign permissions based on the type of role you want to add. This table describes three types of roles you might want to use with Splunk Enterprise Security, in increasing level of permissions. Differences from one row to the next are shown in bold.
    Role type Basic permissions tab settings Label permissions tab settings
    View-only analyst
    Can view automation     		Apps: View
    Assets: View
    Events: View
    Custom Lists: View
    Playbooks: View
    Users & Roles: View
    		 es_soar_integration: View
    Automation analyst
    Can view automation, run actions, run playbooks, and respond to prompts.     		Apps: View
    Assets: View
    Events: Edit
    Custom Lists: View
    Playbooks: Execute
    Users & Roles: View
    		 es_soar_integration: Edit
    Playbook author
    Can view, run, create, and delete playbooks     		Apps: View
    Assets: View
    Events: Edit
    Custom Lists: View
    Playbooks: Delete, Edit, Edit Code
    Users & Roles: View     		es_soar_integration: Edit
  6. Select Create Role.
  7. To create additional roles, return to step 3 and repeat the process.
  8. Now you will map these roles to Splunk Enterprise Security roles.
    In Splunk Enterprise Security: From the Configure menu, select Splunk SOAR. On the Splunk SOAR configuration page, select Pairing.
  9. Select Edit Role Mapping. Map each new role you just created in Splunk SOAR to a Splunk Enterprise Security role. This table provides role mapping suggestions.
    Splunk Enterprise Security Role Splunk SOAR Role
    ess_user View-only analyst
    ess_analyst Automation analyst
    mc_admin Automation engineer
  10. Select Save.
  11. Confirm that your roles are mapped correctly.

Verify pairing Splunk Enterprise Security with Splunk SOAR

To verify that Splunk Enterprise Security is paired with Splunk SOAR, follow these steps:

  1. Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
  2. On the Pairing page, confirm that:
    • the first message states that Splunk Enterprise Security is paired with Splunk SOAR
    • the Configuration details section includes a list of role mappings

Unpair Splunk Enterprise Security from Splunk SOAR

You might want to unpair Splunk Enterprise Security from Splunk SOAR if you are switching out or performing maintenance on your Splunk SOAR server.

Unpairing affects people who are using Splunk Enterprise Security; users will not be able to run actions, run playbooks, or review automation history.

Unpairing does not delete existing playbooks in Splunk SOAR.

To unpair Splunk Enterprise Security from Splunk SOAR, follow these steps:

  1. Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
  2. On the Pairing page, select Unpair. When prompted, select Unpair to confirm that you want to unpair.
    Wait for the unpairing process to complete.

The Pairing page displays. There, you can review the pairing history or choose to pair again.

See also

For Splunk SOAR (Cloud):

For Splunk SOAR (On-premises):

Version compatibility

For details on which versions of Splunk SOAR are compatible with this version of Splunk Enterprise Security, see Compatibility matrix in the Splunk Enterprise Security Release Notes.

Using Splunk SOAR with Splunk Enterprise Security

For details on how to use Splunk SOAR functionality with Splunk Enterprise Security, see Integration of Splunk SOAR with Splunk Enterprise Security later in this manual.

Last modified on 05 June, 2025
Configure per-panel filtering in Splunk Enterprise Security   Turn on debug logging in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters