Splunk® App for SOAR

Install and Configure Splunk App for SOAR

This documentation does not apply to the most recent version of Splunk® App for SOAR. For documentation on the most recent version, go to the latest release.

Assign roles for Splunk App for SOAR

Assign specific roles to administer and view data in Splunk App for SOAR.

Roles for Splunk App for SOAR

The following roles are associated with Splunk App for SOAR, Splunk Enterprise, and Splunk Cloud Platform. Information on assigning the roles appears after this table.

Role name Description User type
admin Used to write to the appropriate files to configure Splunk App for SOAR to work with Splunk Enterprise and Splunk Cloud Platform. The admin role includes the following capabilities:
  • splunk_app_soar_read
  • splunk_app_soar_write
  • admin_all_objects, used to make modifications to Splunk App for SOAR
Administrator
splunk_app_soar_dashboards Enables a nonadministrative user to view Splunk App for SOAR dashboards. Nonadministrative user
phantomsearch Required for remote search. Enables a nonadministrative user to perform remote searches. Nonadministrative user
phantomdelete Required for remote search. Enables a nonadministrative user to delete information when performing remote searches. Nonadministrative user

Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Enterprise

Perform the following steps to add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user:

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR.
  2. In Splunk Web, select Settings. In the Users and Authentication section, select Roles.
  3. Assign the splunk_app_soar role to a user or role. For example, if you want the Analyst role to have Splunk SOAR capabilities, perform these steps:
    1. For the Analyst role, in the Actions column, select Edit.
    2. In the Inheritance tab, select the check box next to the splunk_app_soar role. This will cause all users with the admin role to also inherit all privileges from the splunk_app_soar role.
  4. Repeat the previous steps for the nonadministrative splunk_app_soar_dashboards role and any other roles.
  5. Select Save.

For additional information on adding roles in Splunk Enterprise, see Add or edit a role in the Securing Splunk Enterprise manual.

When inheriting a role, the inheritance works for one level only. For example, the splunk_app_soar_dashboards role might be inherited by the Analyst role, which in turn is inherited by the User role. The Analyst role would have the splunk_app_soar_dashboards capabilities, but the User role would not, because it is more than one level away from the splunk_app_soar_dashboards role.

Add the splunk_app_soar and splunk_app_soar_dashboards roles to users on Splunk Cloud Platform

To add the splunk_app_soar role to the Splunk user setting up the Splunk App for SOAR in supported Splunk Enterprise environments and add the splunk_app_soar_dashboards role to a nonadministrative user, follow the instructions in Add or edit a role in the Securing Splunk Cloud Platform manual.


When inheriting a role, the inheritance works for one level only. See detailed note about inheritance in the previous section.

Add the phantomsearch and phantomdelete user accounts

Splunk SOAR requires two user accounts with roles added by the remote search service. Add the roles phantomsearch​ and ​phantomdelete​ on your Splunk instance or Splunk Cloud Platform deployment for Splunk SOAR. You can use any user names that you prefer for these accounts. These instructions use ​phantomsearchuser​ and ​phantomdeleteuser as examples​.

These instructions are the same for standalone and distributed Splunk Cloud Platform or Splunk Enterprise instances.

Create these accounts on a search head. If you are working in a distributed instance, these users will be replicated to the rest of the cluster automatically. See Add users to the search head cluster in the Splunk Enterprise Distributed Search manual.

For more information on remote search, see instructions for distributed or standalone Splunk Cloud Platform or Enterprise instances.

First, create the user account with the phantomsearch role:

  1. In Splunk Web, select Settings, then Users.
  2. Select ​New User​.
  3. In the ​Name field, enter ​phantomsearchuser​.
  4. Set and confirm a password for this user that complies with your organization's security policies.
  5. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomsearch​ to add that role.
  6. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, ensure that the ​user​ role is present. If it is not, add it as you did with ​phantomsearch​ in the previous step.
  7. Deselect the ​Require password change on first login​ check box.
  8. Select Save.

Repeat all of these steps for the user account with the phantomdelete role, with the following specifics:

  • In step 3, specify the name phantomdeleteuser.
  • In step 5, select phantomdelete to add that role.
  • In step 6, optionally delete the user role, which is not required for the phantomdeleteuser user.
Last modified on 13 December, 2024
Install Splunk App for SOAR on Splunk Cloud Platform   Prepare to configure services for

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.57, 1.0.67


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters