Enable Splunk platform users to use Splunk App for SOAR Export
Splunk App for SOAR Export requires that specific roles are added for the Splunk user setting up Splunk App for SOAR Export.
Splunk App for SOAR Export required roles
The following roles are required for Splunk App for SOAR Export users. Additional roles are available, but are not required.
For additional details on these and other roles, refer to the following topics:
- Splunk Enterprise: Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Enterprise documentation.
- Splunk Cloud Platform: Define roles on the Splunk platform with capabilities in the Securing Securing Splunk Cloud Platform documentation.
Role name | Required for interaction with | Description |
---|---|---|
phantom | Splunk SOAR | Used for interacting with Splunk SOAR. Includes both phantom_read and phantom_write capabilities. The admin and sc_admin roles include phantom_read and phantom_write capabilities. |
ess_user | Splunk Enterprise | Used for interacting with Splunk Enterprise. |
admin | Splunk Enterprise | Used for interacting with Splunk Enterprise. Includes capabilities:
|
sc_admin | Splunk Cloud Platform | Used for interacting with Splunk Cloud Platform. Includes capabilities:
|
Add the ess_user and phantom roles to users on Splunk Enterprise
The ess_user role is required for admin users who will be using adaptive response relay.
Phantom capabilities, phantom_read and phantom_write, are needed to run the Splunk App for SOAR Export, and are already part of the admin role. You must add the phantom role for other users and roles that require its functionality.
Perform the following steps to add the ess_user and phantom roles to the Splunk user setting up the Splunk App for SOAR Export in Splunk Enterprise environments:
- Navigate to the Splunk platform instance where you installed the Splunk App for SOAR Export.
- In Splunk Web, select Settings > Roles.
- To set up ess_user and phantom capabilities, assign the ess_user and phantom roles to a user or a role. For example, if you want the manager role to have ess_user and phantom capabilities, perform the following steps:
- Select Edit in the Actions column for the manager role.
- In the Inheritance tab, select the checkbox next to the ess_user and phantom roles. This will cause all users with the manager role to also inherit all privileges from the ess_user and phantom roles.
- Select Save.
Add the ess_user and phantom roles to users on Splunk Cloud Platform
Perform the following steps to add the ess_user roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Cloud Platform:
Phantom capabilities, phantom_read and phantom_write, are needed to run the Splunk App for SOAR Export, and are already part of the admin and sc_admin roles. You must add the phantom role for other users and roles that require its functionality.
Running Adaptive Response Relay with Splunk Cloud Classic Single Instance architectures requires the user to have either the ess_admin role or the accelerate_datamodel capability.
- Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
- In Splunk Web, select Settings > Roles.
- To set up ess_user and phantom capabilities, assign the ess_user and phantom roles to a user or a role. For example, if you want the manager role to have all of the ess_user and phantom capabilities, perform these steps:
- Select Edit in the Actions column for the manager role.
- In the Inheritance tab, select the checkboxes next to the ess_user and phantom roles. This will cause all users with the manager role to also inherit all privileges from the ess_user and phantom roles.
- Select Save.
Steps to connect the Splunk platform with Splunk SOAR | Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.2
Feedback submitted, thanks!