Assign roles for Splunk App for SOAR
Assign specific roles to administer and view data in Splunk App for SOAR. The splunk_app_soar
role is for administrators only. Other roles described in this article are for nonadministrative users.
Roles for Splunk App for SOAR
The following roles are associated with Splunk App for SOAR, Splunk Enterprise, and Splunk Cloud Platform. Information on assigning the roles appears after this table.
Role name | Description | User type |
---|---|---|
splunk_app_soar
|
Includes permissions needed to administer Splunk App for SOAR, including splunk_app_soar_read and splunk_app_soar_write . Enables administrators to write to the appropriate files to configure Splunk App for SOAR to work with Splunk Enterprise and Splunk Cloud Platform.
|
Administrator |
splunk_app_soar_dashboards
|
Enables a nonadministrative user to view Splunk App for SOAR dashboards. | Nonadministrative user |
phantomsearch
|
Required for remote search. Enables a nonadministrative user to perform remote searches. | Nonadministrative user |
phantomdelete
|
Required for remote search. Enables a nonadministrative user to delete information when performing remote searches. | Nonadministrative user |
Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Enterprise
Perform the following steps to add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user:
- Navigate to the Splunk platform instance where you installed Splunk App for SOAR.
- In Splunk Web, select Settings. In the Users and Authentication section, select Users.
- Assign the splunk_app_soar role to a user. For example, if you want the admin user to have Splunk SOAR capabilities, perform these steps:
- For the admin user, in the Actions column, select Edit.
- In the Assign roles section, in the list of Available Item(s), select the splunk_app_soar role. Check that the role moves into the Selected item(s) list.
- Repeat the previous step for the nonadministrative splunk_app_soar_dashboards role and any other roles.
- Select Save.
For additional information on adding roles in Splunk Enterprise, see Add or edit a role in the Securing Splunk Enterprise manual.
Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Cloud Platform
To add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user, follow the instructions in Add or edit a role in the Securing Splunk Cloud Platform manual.
Add the phantomsearch and phantomdelete user accounts
Splunk SOAR requires two user accounts with roles added by the remote search service. Add the roles phantomsearch
and phantomdelete
on your Splunk instance or Splunk Cloud Platform deployment for Splunk SOAR. You can use any user names that you prefer for these accounts. These instructions use phantomsearchuser and phantomdeleteuser as examples.
These instructions are the same for standalone and distributed Splunk Cloud Platform or Splunk Enterprise instances.
Create these accounts on a search head. If you are working in a distributed instance, these users will be replicated to the rest of the cluster automatically. See Add users to the search head cluster in the Splunk Enterprise Distributed Search manual.
For more information on remote search, see instructions for distributed or standalone Splunk Cloud Platform or Enterprise instances.
First, create the user account with the phantomsearch
role:
- In Splunk Web, select Settings, then Users.
- Select New User.
- In the Name field, enter phantomsearchuser.
- Set and confirm a password for this user that complies with your organization's security policies.
- Under Assigned role(s), in the Available item(s) box, select phantomsearch to add that role.
- Under Assigned role(s), in the Selected item(s) box, ensure that the user role is present. If it is not, add it as you did with phantomsearch in the previous step.
- Deselect the Require password change on first login check box.
- Select Save.
Repeat all of these steps for the user account with the phantomdelete
role, with the following specifics:
- In step 3, specify the name phantomdeleteuser.
- In step 5, select phantomdelete to add that role.
- In step 6, optionally delete the user role, which is not required for the phantomdeleteuser user.
Install Splunk App for SOAR on Splunk Cloud Platform | Prepare to configure services for |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41
Feedback submitted, thanks!