Enable Splunk platform users to use Splunk App for SOAR Export
Splunk App for SOAR Export requires that specific roles are added for the Splunk user setting up Splunk App for SOAR Export.
Splunk App for SOAR Export required roles
The following roles are required for Splunk App for SOAR Export users. Additional rules are available, but are not required.
Role name | Required for interaction with | Description |
---|---|---|
phantom | Splunk SOAR | Used for interacting with Splunk SOAR. Includes both phantom_read and phantom_write permissions. |
ess_user | Splunk Enterprise | Used for interacting with Splunk Enterprise.
|
sc_admin | Splunk Cloud Platform | Used for interacting with Splunk Cloud Platform. Includes phantom_read and phantom_write capabilities.
|
Add the phantom and ess_user roles to users on Splunk Enterprise
Perform the following steps to add the phantom and ess_user roles to the Splunk user setting up the Splunk App for SOAR Export in Splunk Enterprise environments:
- Navigate to the Splunk platform instance where you installed the Splunk App for SOAR Export.
- In Splunk Web, select Settings > Roles.
- The phantom role includes Splunk Phantom read and write access and other permissions needed to run the Splunk App for SOAR Export. To set up Splunk Phantom capabilities, assign the phantom role to a user or a role. For example, if you want the admin role to have Splunk Phantom capabilities, do the following:
- Select Edit in the Actions column for the admin role.
- In the Inheritance tab, select the checkbox next to the phantom role. This will cause all users with the admin role to also inherit all privileges from the phantom role. If this admin user will be using adaptive response relay, you must also inherit the ess_user role.
- Select Save.
Add the phantom role to users on Splunk Cloud Platform
Perform the following steps to add the phantom and ess_user roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Cloud Platform:
- Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
- In Splunk Web, select Settings > Roles.
- The phantom role includes phantom_read and phantom_write access, along with other permissions needed to run Splunk App for SOAR Export. To set up all of the phantom capabilities, assign the phantom role to a user or a role. For example, if you want the sc_admin role to have all of the phantom capabilities, perform these steps:
- Select Edit in the Actions column for the sc_admin role.
- In the Inheritance tab, select the checkbox next to the phantom role. This will cause all users with the sc_admin role to also inherit all privileges from the phantom role. If this user will be using adaptive response relay, you must also inherit the ess_user role.
- Select Save.
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3
Feedback submitted, thanks!