Splunk® Mission Control

Investigate and Respond to Threats in Splunk Mission Control

Manage roles and capabilities for Splunk Mission Control users

Assign users to roles and add capabilities to those roles to manage their access to functionality and data in Splunk Mission Control.

Comparing Splunk admin roles with the Splunk Mission Control admin

The following table describes how Splunk Mission Control capabilities compare between different Splunk admin roles:

Admin role Description
mc_admin In Splunk Mission Control, mc_admin is the name of the admin role. Users with the mc_admin role inherit all Splunk Mission Control capabilities except for the ability to activate or deactivate Splunk Mission Control.
sc_admin In a Splunk Cloud Platform deployment, sc_admin is the name of the admin role. The sc_admin role shares the same capabilities as the mc_admin role, but also includes the ability to activate or deactivate Splunk Mission Control. You must have the sc_admin role to edit roles for users. Specifically, you must have the edit_roles_grantable capability, which is included in the sc_admin role.
ess_admin In a Splunk Enterprise Security (Cloud) deployment, ess_admin is the name of the admin role. The ess_admin role shares the same capabilities as the mc_admin role and is treated the same as mc_admin in Splunk Mission Control.

If you are a user with the mc_admin, sc_admin, ess_admin, or admin role in Splunk Mission Control, you are automatically granted the Administrator role in Splunk SOAR.

View and assign user roles

You can view your assigned roles as a user of Splunk Mission Control by selecting Settings and then Roles from Splunk Web. As a user with the sc_admin role, you can also edit, create, and assign roles. For more information, see Create and manage roles with Splunk Web in the Securing Splunk Cloud Platform manual. To assign many roles at once, see Use role inheritance to group roles together.

If you have an admin role in a Splunk security product, you can add users and manage their roles and capabilities across Splunk security products all from one location in Splunk Cloud Platform.

If you are a Splunk SOAR (Cloud) admin, you can't create users or roles in the Splunk SOAR (Cloud) interface after you activate Splunk Mission Control. Instead, you must manage roles and capabilities for users from Splunk Cloud Platform.

As a user of Splunk Enterprise Security (Cloud), you have several new roles in addition to the default roles provided by Splunk Cloud Platform. The new roles allow a Splunk administrator to assign access to specific functions in Splunk Enterprise Security (Cloud) based on a user's access requirements. For example, if you have the ess_analyst role in Splunk Enterprise Security (Cloud), the mc_analyst_edit_default capability is automatically imported, allowing Splunk Enterprise Security (Cloud) analysts the permission to work with Splunk Mission Control incidents. For more information on users and roles in Splunk Enterprise Security (Cloud), see Configure users and roles in the Splunk Enterprise Security (Cloud) Installation and Upgrade Manual.

Roles available to assign to Splunk Mission Control users

Splunk Mission Control includes several roles that you can assign to users to manage their access to certain functionality. The following table describes the roles available for Splunk Mission Control users and lists the included capabilities for each role.

Role name Description Included Splunk Mission Control capabilities
mc_admin Assign to users who must have access to every part of the system. Users with the mc_admin role inherit all Splunk Mission Control capabilities except for the ability to activate or deactivate Splunk Mission Control. mc_delete_soar_assets
mc_delete_soar_custom_lists
mc_edit_soar_apps
mc_edit_soar_assets
mc_edit_soar_custom_lists
mc_edit_soar_system_settings
mc_health_report
mc_incident_settings_edit
mc_incident_settings_read
mc_incident_sla_settings_edit
mc_incident_sla_settings_read
mc_response_template_edit
mc_response_template_view
mc_soar_proxy_execute
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_analyst_all_edit Assign to users who need to view and edit all incidents on the incident review page. mc_health_report
mc_incident_sla_settings_read
mc_response_template_view
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_analyst_edit_<incident-type> Assign to users who need to view and edit incidents of only a particular incident type on the incident review page. mc_health_report
mc_incident_sla_settings_read
mc_response_template_view
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_analyst_read_<incident-type> Assign to users who need to view, but not edit, incidents of a particular incident type on the incident review page. mc_health_report
mc_incident_read
mc_incident_sla_settings_read
mc_response_template_view
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_observer Assign to users who need to view, but not edit, all incidents on the incident review page. mc_health_report
mc_incident_sla_settings_read
mc_response_template_view
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_asset_owner Assign to Splunk Mission Control users who need to create, edit, and delete Splunk SOAR assets and who also need to view system settings, apps or connectors, and users and roles from Splunk SOAR. mc_delete_soar_assets
mc_edit_soar_assets
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_automation_engineer Assign to Splunk Mission Control users who need to create, edit, and delete Splunk SOAR custom lists and who also need to view apps, assets, custom lists, system settings, and users and roles from Splunk SOAR. mc_delete_soar_custom_lists
mc_edit_soar_custom_lists
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_incident_commander Assign to Splunk Mission Control users who need to create and edit, but not delete, Splunk SOAR custom lists and who also need to view apps, assets, system settings, and users and roles from Splunk SOAR. mc_edit_soar_custom_lists
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_observer Assign to Splunk Mission Control users who need to view assets, system settings, custom lists, apps or connectors, and users and roles from Splunk SOAR. Users with this role can't edit or delete Splunk SOAR custom lists. mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_repo_edit_<repo_name> Assign to users who need to view, edit, and delete playbooks in a particular <repo_name> and who also need to edit playbook code in <repo_name>. mc_delete_soar_assets
mc_delete_soar_custom_lists
mc_edit_soar_apps
mc_edit_soar_assets
mc_edit_soar_custom_lists
mc_edit_soar_system_settings
mc_health_report
mc_incident_read
mc_incident_settings_edit
mc_incident_settings_read
mc_incident_sla_settings_edit
mc_incident_sla_settings_read
mc_response_template_edit
mc_response_template_view
mc_soar_proxy_execute
mc_trigger_backfill
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_repo_execute_<repo_name> Assign to users who need to view and run, but not edit or delete, actions and playbooks in a particular <repo_name>. mc_display_id
mc_health_report
mc_incident_read
mc_incident_settings_edit
mc_incident_settings_read
mc_incident_sla_settings_edit
mc_incident_sla_settings_read
mc_response_template_edit
mc_response_template_view
mc_soar_proxy_execute
mc_trigger_backfill
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_repo_view_<repo_name> Assign to users who need to view, but not edit or delete, playbooks of a particular <repo_name>. mc_display_id
mc_health_report
mc_incident_read
mc_incident_settings_edit
mc_incident_settings_read
mc_incident_sla_settings_edit
mc_incident_sla_settings_read
mc_response_template_edit
mc_response_template_view
mc_soar_proxy_execute
mc_trigger_backfill
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
mc_soar_system_edit Assign to users to allow the Universal Forwarder modular input to send credentials to Splunk SOAR. mc_edit_soar_system_settings
mc_soar_proxy Assign to users to allow the Splunk SOAR proxy user to access Splunk Mission Control endpoints. mc_delete_soar_assets
mc_delete_soar_custom_lists
mc_edit_soar_apps
mc_edit_soar_assets
mc_edit_soar_custom_lists
mc_edit_soar_system_settings
mc_display_id
mc_health_report
mc_incident_read
mc_incident_settings_edit
mc_incident_settings_read
mc_incident_sla_settings_edit
mc_incident_sla_settings_read
mc_response_template_edit
mc_response_template_view
mc_soar_proxy_execute
mc_trigger_backfill
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles

After you assign new mc_soar roles to a user, there might be up to a 1-hour delay before your changes reflect in both Splunk Mission Control and Splunk SOAR (Cloud).

Splunk Mission Control includes a few roles for internal use only. Don't use or modify the following roles: mc_analyst, mc_analyst_reader, and mc_soar_automation.

Manage indexes for roles in Splunk Mission Control

Each role in Splunk Mission Control includes access to various indexes. With each particular index, you can use particular features. The following indexes affect functionality in Splunk Mission Control:

Index Function
mc_artifacts View risk-based alerting (RBA) scores for summary fields in an incident investigation.
mc_aux_incidents View incidents on the Incident review page.
mc_events View events in the Events tab of your incident investigation.
phantom_action_run Search for action run logs from Splunk SOAR.
phantom_playbook_run Search for playbook run logs from Splunk SOAR.

The following roles automatically have access to the indexes specific to Splunk Mission Control:

  • ess_admin
  • ess_analyst
  • mc_admin
  • mc_analyst
  • sc_admin

If you want to access an index specific to Splunk Mission Control using another role, you must add the index to the role. For example, if you have the mc_observer role and you want to view events in the Events tab of your incident investigation, then you must add the mc_events index to the mc_observer role.

To add indexes to a role, complete the following steps:

  1. From Splunk Cloud Platform, select Settings and then Roles.
  2. Select the role you want to modify.
  3. Select Indexes.
  4. Add an index to the role by selecting the Included check box.
  5. (Optional) Select the Default check box to automatically use this index in a search when you don't specify any index.
  6. (Optional) To remove an index from the role, deselect the Included check box.
  7. Select Save.

Splunk Mission Control default users

Splunk Mission Control automatically creates the following user accounts after you activate the app. Each user has assigned capabilities for Splunk SOAR (Cloud) functionality in Splunk Mission Control.

User Description Assigned Splunk Mission Control capabilities
soar_automation_user Handles automation tasks such as running actions and playbooks. As a user of Splunk Mission Control, you can't create alternate automation users in the Splunk SOAR user interface.

The soar_automation_user credentials are never shared outside of Splunk Mission Control.
mc_edit_soar_custom_lists
mc_edit_soar_system_settings
mc_health_report
mc_incident_read
mc_incident_sla_settings_read
mc_response_template_view
mc_view_im_data
mc_view_soar_apps
mc_view_soar_assets
mc_view_soar_custom_lists
mc_view_soar_system_settings
mc_view_soar_users_roles
soar_proxy_user Shares Splunk Mission Control API access to a paired Splunk SOAR (Cloud) instance. The paired Splunk SOAR (Cloud) instance only has access to Splunk Mission Control REST APIs and not to any other Splunk app REST APIs.

This user does not have any capabilities from the default Splunk user role.
mc_soar_proxy_execute
soar_system_settings_operator Sends Universal Forwarder configurations to a paired Splunk SOAR (Cloud) instance. Only the paired Splunk SOAR (Cloud) instance has access to the generated Universal Forwarder.

This user does not have any capabilities from the default Splunk user role.
mc_edit_soar_system_settings

User capabilities in Splunk Mission Control

You can update the capabilities of a role assigned to a user. If you're using a custom admin role and want to share the same capabilities as the mc_admin role, make sure to add all of the mc_admin role capabilities listed in the following table.

Do not remove capabilities from the roles included with Splunk Mission Control. Removing capabilities from default roles can affect the functionality, including Splunk SOAR functionality, in Splunk Mission Control.

The following table describes what each Splunk Mission Control capability allows you to do:

Capability Description
edit_missioncontrol_agreements Accept the initial user agreement and activate or deactivate Splunk Mission Control.
edit_intelligence_management Create, edit, delete, and activate intelligence workflows with Threat Intelligence Management in Splunk Mission Control.
mc_delete_soar_asset Delete assets in Splunk SOAR (Cloud).
mc_edit_soar_apps Edit apps in Splunk SOAR (Cloud).
mc_edit_soar_assets Edit assets in Splunk SOAR (Cloud).
mc_health_report Call the health report endpoint on Splunk Mission Control.
mc_incident_settings_read View the Splunk Mission Control settings page.
mc_incident_settings_edit Edit Splunk Mission Control settings.
mc_response_template_view View response templates.
mc_response_template_edit Edit response templates.
mc_trigger_backfill Trigger all incidents in the backfill to get pushed directly to Splunk SOAR.
mc_view_soar_apps View apps in Splunk SOAR (Cloud).
mc_view_soar_assets View assets in Splunk SOAR (Cloud).
mc_incident_sla_settings_read View the Splunk Mission Control incident settings SLA page.
mc_incident_sla_settings_edit Edit the Splunk Mission Control incident SLA settings.
mc_view_soar_system_settings View system settings in Splunk SOAR (Cloud).
mc_edit_soar_system_settings Edit system settings in Splunk SOAR (Cloud).
mc_view_soar_custom_lists View custom lists in Splunk SOAR (Cloud).
mc_edit_soar_custom_lists Edit custom lists in Splunk SOAR (Cloud).
mc_delete_soar_custom_lists Delete custom lists in Splunk SOAR (Cloud).
mc_view_soar_users_roles View users and their roles in Splunk SOAR (Cloud).
mc_view_im_data Access Threat Intelligence Management data.

Edit and delete are separate capabilities in Splunk Mission Control. Edit capabilities don't include the capability to delete.

Splunk Mission Control includes a few capabilities for internal use only. Don't add the following capabilities to roles: mc_display_id and mc_soar_proxy_execute.

Allow users to activate or deactivate Splunk Mission Control

To allow a user to activate or deactivate Splunk Mission Control, you must assign them a role with the edit_missioncontrol_agreements capability, or you can add that capability manually. For example, the sc_admin role includes this capability, so users with the sc_admin role, or a role that imports the sc_admin role, can activate or deactivate Splunk Mission Control. See User capabilities in Splunk Mission Control to learn more about capabilities and which roles they're assigned to.

Allow users to access actions and playbooks in Splunk Mission Control

Users need particular roles and capabilities to use Splunk SOAR actions and playbooks in Splunk Mission Control. To learn more about actions and playbooks, see Automate incident response with playbooks and actions in Splunk Mission Control. To view and manage roles and capabilities for users, select Settings then Roles from Splunk Cloud Platform.

If you are a Splunk SOAR (Cloud) admin, you can't create users or roles in the Splunk SOAR (Cloud) interface after you activate Splunk Mission Control. Instead, you must manage roles and capabilities for users from Splunk Cloud Platform.

Assign roles and capabilities to run actions

To view and run actions in Splunk Mission Control, you must have the view capabilities for Splunk SOAR assets, apps, and custom lists. To allow a user to view the available actions to run on an incident, make sure the user's role has the following capabilities:

  • mc_view_soar_apps
  • mc_view_soar_assets
  • mc_view_soar_custom_lists

You can assign these capabilities to a user by adding the capabilities to an existing role or by creating a new role.

To run an action, a user must also have any mc_soar_repo_execute_<repo_name> role.

The mc_observer role includes the Splunk SOAR view capabilities required to view available actions. To allow a user to run actions, assign any mc_soar_repo_execute_<repo_name> role, and then either add the required view capabilities to the role or assign the mc_observer role as well so that the user inherits those capabilities automatically.

Assign roles and capabilities to view, edit, and run playbooks

To use playbooks in Splunk Mission Control, you must have the view capabilities for Splunk SOAR assets, apps, and custom lists. To allow a user to view the available playbooks to run on an incident, make sure the user's role has the following capabilities:

  • mc_view_soar_apps
  • mc_view_soar_assets
  • mc_view_soar_custom_lists

You can assign these capabilities to a user by adding the capabilities to an existing role or by creating a new role. For example, if you want to assign a custom role to a user who needs to view playbooks, create a new role, and then add the view capabilities for Splunk SOAR assets, apps, and custom lists to the role.

To add the capabilities to an existing role, start by assigning the user one of the following roles for different playbook access types:

  • Edit: Assign the mc_soar_repo_edit_<repo_name> role for users who need to view, edit, and delete playbooks in a repository named <repo_name> and who also need to edit playbook code in a repository named <repo_name>.
  • Run: Assign the mc_soar_repo_execute_<repo_name> role for users who need to view and run playbooks in a repository named <repo_name>.
  • View: Assign the mc_soar_repo_view_<repo_name> role for users who need to only view playbooks of a particular repository named <repo_name>.

Then, add the view capabilities for Splunk SOAR assets, apps, and custom lists to the role.

Use role inheritance to group roles together

In Splunk Mission Control, after you have roles with several incident types, you might find it difficult to manage assigning these roles to users. You can create your own roles to group these roles together. To accomplish this, follow these steps:

  1. Create a new role in Splunk Cloud Platform.
  2. Use role inheritance to add related roles to the role.
  3. Then, assign this new role to users.

For example, you can create a new "phishing_group" role and then add the roles with incident types related to phishing to it. See Add or edit a role in the Securing Splunk Cloud Platform manual.

As you create more incident type roles, you can add them to your new role groupings so that you don't have to assign many individual roles to users.

Last modified on 28 March, 2024
Customize Splunk Mission Control incident settings   Modify app level permissions for Splunk Mission Control

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters