Splunk® App for SOAR

Install and Configure Splunk App for SOAR

This documentation does not apply to the most recent version of Splunk® App for SOAR. For documentation on the most recent version, go to the latest release.

Assign roles for Splunk App for SOAR

Assign specific roles to administer and view data in Splunk App for SOAR. The splunk_app_soar role is for administrators only. Other roles described in this article are for nonadministrative users.

Roles for Splunk App for SOAR

The following roles are associated with Splunk App for SOAR, Splunk Enterprise, and Splunk Cloud Platform. Information on assigning the roles appears after this table.

Role name Description User type
splunk_app_soar Includes permissions needed to administer Splunk App for SOAR, including splunk_app_soar_read and splunk_app_soar_write. Enables administrators to write to the appropriate files to configure Splunk App for SOAR to work with Splunk Enterprise and Splunk Cloud Platform. Administrator
splunk_app_soar_dashboards Enables a nonadministrative user to view Splunk App for SOAR dashboards. Nonadministrative user
phantomsearch Required for remote search. Enables a nonadministrative user to perform remote searches. Nonadministrative user
phantomdelete Required for remote search. Enables a nonadministrative user to delete information when performing remote searches. Nonadministrative user

Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Enterprise

Perform the following steps to add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user:

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR.
  2. In Splunk Web, select Settings. In the Users and Authentication section, select Users.
  3. Assign the splunk_app_soar role to a user. For example, if you want the admin user to have Splunk SOAR capabilities, perform these steps:
    1. For the admin user, in the Actions column, select Edit.
    2. In the Assign roles section, in the list of Available Item(s), select the splunk_app_soar role. Check that the role moves into the Selected item(s) list.
  4. Repeat the previous step for the nonadministrative splunk_app_soar_dashboards role and any other roles.
  5. Select Save.

For additional information on adding roles in Splunk Enterprise, see Add or edit a role in the Securing Splunk Enterprise manual.

Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Cloud Platform

To add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user, follow the instructions in Add or edit a role in the Securing Splunk Cloud Platform manual.


Add the phantomsearch and phantomdelete user accounts

Splunk SOAR requires two user accounts with roles added by the remote search service. Add the roles phantomsearch​ and ​phantomdelete​ on your Splunk instance or Splunk Cloud Platform deployment for Splunk SOAR. You can use any user names that you prefer for these accounts. These instructions use ​phantomsearchuser​ and ​phantomdeleteuser as examples​.

These instructions are the same for standalone and distributed Splunk Cloud Platform or Splunk Enterprise instances.

Create these accounts on a search head. If you are working in a distributed instance, these users will be replicated to the rest of the cluster automatically. See Add users to the search head cluster in the Splunk Enterprise Distributed Search manual.

For more information on remote search, see instructions for distributed or standalone Splunk Cloud Platform or Enterprise instances.

First, create the user account with the phantomsearch role:

  1. In Splunk Web, select Settings, then Users.
  2. Select ​New User​.
  3. In the ​Name field, enter ​phantomsearchuser​.
  4. Set and confirm a password for this user that complies with your organization's security policies.
  5. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomsearch​ to add that role.
  6. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, ensure that the ​user​ role is present. If it is not, add it as you did with ​phantomsearch​ in the previous step.
  7. Deselect the ​Require password change on first login​ check box.
  8. Select Save.

Repeat all of these steps for the user account with the phantomdelete role, with the following specifics:

  • In step 3, specify the name phantomdeleteuser.
  • In step 5, select phantomdelete to add that role.
  • In step 6, optionally delete the user role, which is not required for the phantomdeleteuser user.
Last modified on 28 February, 2024
Install Splunk App for SOAR on Splunk Cloud Platform   Prepare to configure services for

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters