Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Phantom: What role is best for a user creating a playbook?

ang3la42
New Member
‎08-02-2019 01:06 PM

Hi,

I was hoping someone would be able to let me know the correct role to choose for a user whose responsibility will be to create playbooks.

  1. Automation Engineer: Automation Engineers can author rules to automate security actions.
  2. Incident Commander: Incident Commanders are allowed to view/edit Events and are allowed to create new Actions.

The Automation Engineer and the Incident Commander both have these permissions:
Apps: can view
Assets: can view
Events: can edit, can view
Custom Lists: can view
Playbooks: can edit, can view, can execute, can edit code
System Settings: can view
User & Roles: can view

The Incident Commander has a few additional permissions:
Cases: can delete, can edit, can view
Playbooks: can delete
System Settings: can edit

Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 02:10 PM

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-15-2019 02:10 PM

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...