Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Phantom: What role is best for a user creating a playbook?

ang3la42
New Member
‎08-02-2019 01:06 PM

Hi,

I was hoping someone would be able to let me know the correct role to choose for a user whose responsibility will be to create playbooks.

  1. Automation Engineer: Automation Engineers can author rules to automate security actions.
  2. Incident Commander: Incident Commanders are allowed to view/edit Events and are allowed to create new Actions.

The Automation Engineer and the Incident Commander both have these permissions:
Apps: can view
Assets: can view
Events: can edit, can view
Custom Lists: can view
Playbooks: can edit, can view, can execute, can edit code
System Settings: can view
User & Roles: can view

The Incident Commander has a few additional permissions:
Cases: can delete, can edit, can view
Playbooks: can delete
System Settings: can edit

Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 02:10 PM

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 02:10 PM

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...