Splunk SOAR (f.k.a. Phantom)

Phantom: What role is best for a user creating a playbook?

ang3la42
New Member

Hi,

I was hoping someone would be able to let me know the correct role to choose for a user whose responsibility will be to create playbooks.

  1. Automation Engineer: Automation Engineers can author rules to automate security actions.
  2. Incident Commander: Incident Commanders are allowed to view/edit Events and are allowed to create new Actions.

The Automation Engineer and the Incident Commander both have these permissions:
Apps: can view
Assets: can view
Events: can edit, can view
Custom Lists: can view
Playbooks: can edit, can view, can execute, can edit code
System Settings: can view
User & Roles: can view

The Incident Commander has a few additional permissions:
Cases: can delete, can edit, can view
Playbooks: can delete
System Settings: can edit

Thank you!

Labels (1)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

View solution in original post

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...