We have the Splunk Add-on for Demisto setup in our environment. It works as long as the saved search being sent to Demisto is created or owned by admin or users who have the admin capability. It does not work for any other user.
I imagine its a permissions issue somewhere in the app, maybe the password? just not sure exactly where the permissions need to be updated.
Thanks!
The cause was a capability that was not part of any account by default other than the admin.
Added to our service account and working as expected
Which capability did you added? @tkw03
I had the exact same error with the ServiceNow add-on (which uses a script to inject incident tickets into SNow). The permission I had to grant was "list_storage_passwords". I believe, because the script is being run as the user who created the alert, the user must be able to read the credentials from storage, and pass these to the python script.
Thank you for this answer! I had this exact issue where my ServiceNow Event Integration didn't work and the _internal index kept showing the "User does not have permissions" signature. Adding the "list_storage_passwords" capability works!
Hi tkw03,
Can you describe what you have done ? I have upgraded Demisto Add On version 3.0.2 and when I checked /opt/splunk/var/log/splunk/create_xsoar_incident_modalert.log file there is an error logs which says that "signature="User does not have permissions" . Configuration does not have any user requirement. So what is actually this user ? I 'm also using admin account while creating searches.
The cause was a capability that was not part of any account by default other than the admin.
Added to our service account and working as expected