Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Enable Splunk platform users to use Splunk App for SOAR Export

Splunk App for SOAR Export requires that specific roles are added for the Splunk user setting up Splunk App for SOAR Export.

Splunk App for SOAR Export required roles

The following roles are required for Splunk App for SOAR Export users. Additional rules are available, but are not required.

Role name Required for interaction with Description
phantom Splunk SOAR Used for interacting with Splunk SOAR. Includes both phantom_read and phantom_write permissions.
ess_user Splunk Enterprise Used for interacting with Splunk Enterprise.


For information on additional roles in Splunk Enterprise, see Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Enterprise documentation.

sc_admin Splunk Cloud Platform Used for interacting with Splunk Cloud Platform. Includes phantom_read and phantom_write capabilities.


For information on additional roles in Splunk Cloud Platform, see Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Cloud Platform documentation..


Add the phantom and ess_user roles to users on Splunk Enterprise 9.x or 8.x

Perform the following steps to add the phantom and ess_users roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Enterprise 9.x or 8.x environments:

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Roles.
  3. The phantom role includes Splunk Phantom read and write access and other permissions needed to run Splunk App for SOAR Export. To set up Splunk Phantom capabilities, assign the phantom role to a user or a role. For example, if you want the admin role to have Splunk Phantom capabilities, do the following:
    1. Select Edit in the Actions column for the admin role.
    2. In the Inheritance tab, select the checkbox next to the phantom role. This will cause all users with the admin role to also inherit all privileges from the phantom role. If this admin user will be using adaptive response relay, you must also inherit the ess_user role.
  4. Select Save.

Add the phantom and ess_users roles to users on Splunk Enterprise 7.3.x

Perform the following steps to add the phantom and ess_users roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Enterprise 7.3.x environments:

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Access controls.
  3. Select Roles.
  4. The phantom role includes Splunk Phantom read and write access and other permissions needed to run Splunk App for SOAR Export. To set up Splunk Phantom capabilities, assign the phantom role to a user or a role. For example, if you want the admin role to always have Splunk Phantom capabilities, do the following:
    1. Select admin to edit the role.
    2. Select the Inheritance tab.
    3. Select the checkbox next to the phantom role. This will cause all users with the admin role to also inherit all privileges from the phantom role. If this admin user will be using adaptive response relay, you must also inherit the ess_user role.
  5. Select Save.

Add the phantom role to users on Splunk Cloud Platform

Splunk Cloud Platform users must file a support ticket in order to have Splunk update user roles on your behalf.

Last modified on 02 June, 2023
Steps to connect the Splunk platform with Splunk SOAR   Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters