Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Enable Splunk platform users to use Splunk App for SOAR Export

Splunk App for SOAR Export requires that specific roles are added for the Splunk user setting up Splunk App for SOAR Export.

Splunk App for SOAR Export required roles

The following roles are required for Splunk App for SOAR Export users. Additional rules are available, but are not required.

Role name Required for interaction with Description
phantom Splunk SOAR Used for interacting with Splunk SOAR. Includes both phantom_read and phantom_write permissions.
ess_user Splunk Enterprise Used for interacting with Splunk Enterprise.


For information on additional roles in Splunk Enterprise, see Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Enterprise documentation.

sc_admin Splunk Cloud Platform Used for interacting with Splunk Cloud Platform. Includes phantom_read and phantom_write capabilities.


For information on additional roles in Splunk Cloud Platform, see Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Cloud Platform documentation..

Add the phantom and ess_user roles to users on Splunk Enterprise

Perform the following steps to add the phantom and ess_user roles to the Splunk user setting up the Splunk App for SOAR Export in Splunk Enterprise environments:

  1. Navigate to the Splunk platform instance where you installed the Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Roles.
  3. The phantom role includes Splunk Phantom read and write access and other permissions needed to run the Splunk App for SOAR Export. To set up Splunk Phantom capabilities, assign the phantom role to a user or a role. For example, if you want the admin role to have Splunk Phantom capabilities, do the following:
    1. Select Edit in the Actions column for the admin role.
    2. In the Inheritance tab, select the checkbox next to the phantom role. This will cause all users with the admin role to also inherit all privileges from the phantom role. If this admin user will be using adaptive response relay, you must also inherit the ess_user role.
  4. Select Save.

Add the phantom role to users on Splunk Cloud Platform

Perform the following steps to add the phantom and ess_user roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Cloud Platform:

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Roles.
  3. The phantom role includes phantom_read and phantom_write access, along with other permissions needed to run Splunk App for SOAR Export. To set up all of the phantom capabilities, assign the phantom role to a user or a role. For example, if you want the sc_admin role to have all of the phantom capabilities, perform these steps:
    1. Select Edit in the Actions column for the sc_admin role.
    2. In the Inheritance tab, select the checkbox next to the phantom role. This will cause all users with the sc_admin role to also inherit all privileges from the phantom role. If this user will be using adaptive response relay, you must also inherit the ess_user role.
  4. Select Save.
Last modified on 26 September, 2023
Steps to connect the Splunk platform with Splunk SOAR   Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters