All Apps and Add-ons

Splunk Add-on for Demisto only sends as admin?

tkw03
Communicator

We have the Splunk Add-on for Demisto setup in our environment. It works as long as the saved search being sent to Demisto is created or owned by admin or users who have the admin capability. It does not work for any other user.

I imagine its a permissions issue somewhere in the app, maybe the password? just not sure exactly where the permissions need to be updated.

Thanks!

Labels (1)
0 Karma
1 Solution

tkw03
Communicator

The cause was a capability that was not part of any account by default other than the admin.
Added to our service account and working as expected

View solution in original post

0 Karma

diegomssilva
Observer

Which capability did you added? @tkw03 

0 Karma

gordo32
Communicator

I had the exact same error with the ServiceNow add-on (which uses a script to inject incident tickets into SNow). The permission I had to grant was "list_storage_passwords". I believe, because the script is being run as the user who created the alert, the user must be able to read the credentials from storage, and pass these to the python script.

JJ_Yam
Explorer

Thank you for this answer! I had this exact issue where my ServiceNow Event Integration didn't work and the _internal index kept showing the "User does not have permissions" signature. Adding the "list_storage_passwords" capability works!

0 Karma

spns
New Member

Hi tkw03,

Can you describe what you have done ? I have upgraded Demisto Add On version 3.0.2 and when I checked /opt/splunk/var/log/splunk/create_xsoar_incident_modalert.log file there is an error logs which says that  "signature="User does not have permissions" . Configuration does not have any user requirement. So what is actually this user ? I 'm also using admin account while creating searches.

0 Karma

tkw03
Communicator

The cause was a capability that was not part of any account by default other than the admin.
Added to our service account and working as expected

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...