Splunk SOAR

Phantom: What role is best for a user creating a playbook?

ang3la42
New Member

Hi,

I was hoping someone would be able to let me know the correct role to choose for a user whose responsibility will be to create playbooks.

  1. Automation Engineer: Automation Engineers can author rules to automate security actions.
  2. Incident Commander: Incident Commanders are allowed to view/edit Events and are allowed to create new Actions.

The Automation Engineer and the Incident Commander both have these permissions:
Apps: can view
Assets: can view
Events: can edit, can view
Custom Lists: can view
Playbooks: can edit, can view, can execute, can edit code
System Settings: can view
User & Roles: can view

The Incident Commander has a few additional permissions:
Cases: can delete, can edit, can view
Playbooks: can delete
System Settings: can edit

Thank you!

Labels (1)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

View solution in original post

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi @ang3la42 -
If you're looking for the right out-of-the-box permissions for a user who'll primarily be building playbooks (but not necessarily responding to incidents), then 'Automation Engineer' is the way to go. From the docs, its described thusly:

Automation Engineers are responsible for building the playbooks required to automate security operations.
Responsible for:
- Creating and Managing PLAYBOOKS"

However, as you point out, the Automation Engineer role does include the ability to view and edit events (but not cases) - which is useful for testing when building playbooks. Further lock-down could be accomplished by creating a custom role if necessary.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...