Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Allow Splunk platform users to use Splunk App for SOAR Export

Splunk App for SOAR Export requires that specific roles are added for the Splunk user setting up Splunk App for SOAR Export.

Splunk App for SOAR Export required roles

The following roles are required for Splunk App for SOAR Export users. Additional roles are available, but are not required.
For additional details on these and other roles, refer to the following topics:

Role name Required for interaction with Description
phantom Splunk SOAR Used for interacting with Splunk SOAR. Includes both phantom_read and phantom_write capabilities. The admin and sc_admin roles include phantom_read and phantom_write capabilities.
ess_user Splunk Enterprise Used for interacting with Splunk Enterprise.
admin Splunk Enterprise Used for interacting with Splunk Enterprise. Includes capabilities:
  • phantom_read and phantom_write
  • admin_all_objects, used to make modifications to Splunk App for SOAR Export.
sc_admin Splunk Cloud Platform Used for interacting with Splunk Cloud Platform. Includes capabilities:
  • phantom_read and phantom_write
  • admin_all_objects, used to make modifications to Splunk App for SOAR Export.

Add the ess_user and phantom roles to users on Splunk Enterprise

The ess_user role is required for admin users who will be using adaptive response relay.

Phantom capabilities, phantom_read and phantom_write, are needed to run the Splunk App for SOAR Export, and are already part of the admin role. You must add the phantom role for other users and roles that require its functionality.

Perform the following steps to add the ess_user and phantom roles to the Splunk user setting up the Splunk App for SOAR Export in Splunk Enterprise environments:

  1. Navigate to the Splunk platform instance where you installed the Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Roles.
  3. To set up ess_user and phantom capabilities, assign the ess_user and phantom roles to a user or a role. For example, if you want the manager role to have ess_user and phantom capabilities, perform the following steps:
    1. Select Edit in the Actions column for the manager role.
    2. In the Inheritance tab, select the checkbox next to the ess_user and phantom roles. This will cause all users with the manager role to also inherit all privileges from the ess_user and phantom roles.
  4. Select Save.

Add the ess_user and phantom roles to users on Splunk Cloud Platform

Perform the following steps to add the ess_user roles to the Splunk user setting up Splunk App for SOAR Export in Splunk Cloud Platform:

Phantom capabilities, phantom_read and phantom_write, are needed to run the Splunk App for SOAR Export, and are already part of the admin and sc_admin roles. You must add the phantom role for other users and roles that require its functionality.

Running Adaptive Response Relay with Splunk Cloud Classic Single Instance architectures requires the user to have either the ess_admin role or the accelerate_datamodel capability.

  1. Navigate to the Splunk platform instance where you installed Splunk App for SOAR Export.
  2. In Splunk Web, select Settings > Roles.
  3. To set up ess_user and phantom capabilities, assign the ess_user and phantom roles to a user or a role. For example, if you want the manager role to have all of the ess_user and phantom capabilities, perform these steps:
    1. Select Edit in the Actions column for the manager role.
    2. In the Inheritance tab, select the checkboxes next to the ess_user and phantom roles. This will cause all users with the manager role to also inherit all privileges from the ess_user and phantom roles.
  4. Select Save.
Last modified on 16 October, 2024
Steps to connect the Splunk platform with Splunk SOAR   Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.13, 4.3.21


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters