Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Use authorized users to grant authorized access

Authorized Users are enabled by default. Use this setting to toggle whether the Authorized section is visible in the Investigation screen's HUD.

The Authorized control for managing the Authorized Users appears in the Investigation screen if the authorized users are turned on. The control appears in the HUD, accessed by using the double-down chevron pull-down tab.

Access the HUD and Event Info by doing the following:

  1. Click the double-down chevron.
  2. Click the right arrow ( > ) next to Event Info.

The Authorized control is located in the People section.

This toggle is available for viewing and editing if your role has view and edit permissions for the system settings. See Manage roles and permissions in Splunk Phantom for more information about roles and permissions.

Disable authorized users by doing the following:

  1. From the main menu, select Administration.
  2. Select Event Settings > Authorized Users.
  3. Click the Enable Authorized Users toggle to the Off position.

Once disabled, the Authorized section is no longer visible in Investigation. Reenabling the Authorized Users makes the Authorized section visible in Investigation and also reenables the authorized access that was previously configured.

Authorized access might not be available for every user in the system by default. Authorized access can only be granted to the subset of users who are already assigned to a label that has edit permissions on the container. For example, some teams only want to allow certain people to work on particular types of cases. Not every user assigned to a label needs access to a particular case.

Grant authorized access by doing the following in Investigation:

  1. Expand the Event Info collapsible section of a container.
  2. Click the edit icon in the Authorized section.
  3. From the Authorized Users drop-down list, select the names of the people who need access.

The Authorized section is visible if you have basic permissions for events with view selected. The Authorized Users drop-down list is editable if you have label permissions for events with view and edit selected.

Administrators always have access to all containers. Normally, you don't need to authorize them. However, if you want to restrict a container to administrators only, set Administrators in the Authorized Users list. Setting specific user names will enable the specific users and administrators.

Last modified on 12 November, 2020
Configure labels to apply to containers   Manage Splunk Phantom users

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters