Capability reference for Splunk Enterprise Security
Splunk Enterprise Security uses capabilities to control access to specific features. Capabilities are defined in the
authorize.conf configuration file for Splunk Enterprise Security. The following reference table defines relevant capabilities for Splunk Enterprise Security and specifies which roles include each capability by default.Note:
Do not remove the list_inputs capability from a role
| Capability | Description | ess_user | ess_analyst | ess_admin |
|---|---|---|---|---|
| edit_filter_sets | Allows a Splunk Enterprise Security administrator to configure specific views for analysts based on their roles in the organization. Also allows users and analysts to see the saved views that are available to them. | X | X | |
| edit_uba_settings | Access data from Splunk Enterprise to Splunk UBA. | X | ||
| edit_cam_queue | Write the Common Action Model (CAM) queue. See Configure adaptive response action relays in Splunk Enterprise Security. | X | ||
| edit_modinput_configuration_check | Allows you to run configuration checks. | X | ||
| edit_notable_events | Create ad-hoc findings from search results. See Configure findings manually to track specific fields in Splunk Enterprise Security. | X | X | |
| admin_all_objectslist_storage_passwordslist_app_certsedit_app_certsdelete_app_certs | Manage credentials and certificates for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. See Manage credentials in Splunk Enterprise Security. | X | ||
| edit_modinput_data_migrator | Allows you to perform one-time data migrations. | X | ||
| edit_modinput_dm_accel_settings | Identify who can edit the Data Model Acceleration modular input. DMA is turned on for the required data models using a modular input by default. | X | ||
| edit_modinput_whois | Make changes to edit the modular name by using the "whois" feature. | X | ||
| edit_search_schedule_priorityedit_search_schedule_window | Edit the schedule priority and schedule window of detections. | X | ||
| edit_correlationsearchesschedule_search | Edit detections. Users with this capability can also export content from Content Management as an app. See Export content as an app from Splunk Enterprise Security. | X | ||
| edit_modinput_es_deployment_manager | Use distributed configuration management. See Deploy add-ons included with Splunk Enterprise Security. | X | ||
| edit_es_navigation | Make changes to the Splunk Enterprise Security navigation. See Customize the menu bar in Splunk Enterprise Security. | X | ||
| edit_modinput_identity_manager | Manage asset and Identity lookup configurations. See Add asset and identity data to Splunk Enterprise Security,How asset and identity correlation works, and Manage assets and identities in Splunk Enterprise Security. | X | ||
| edit_log_review_settings | Make changes to the analyst queue settings. See Configure the settings for the analyst queue in Splunk Enterprise Security. | X | ||
| edit_lookups, edit_managed_configurations | Create and make changes to lookup table files. See Create and manage lookups in Splunk Enterprise Security. | X | ||
| edit_reviewstatuses | Make changes to the status of a finding or an investigation. See Change the status of a finding or an investigation in Splunk Enterprise Security. | X | ||
| edit_suppressions | Edit Splunk eventtypes in the Threat Intelligence supporting add-on, and create and edit suppressions for findings. See Create suppression rules for findings in Splunk Enterprise Security. The | X | ||
| edit_notable_events | Make changes to findings, such as assigning them and transition them between statuses. Statuses for Splunk Enterprise Security investigations are stored in the reviewstatuses.conf file. See Manage analyst workflows using the analyst queue in Splunk Enterprise Security. | X | X | |
| edit_per_panel_filters | Permits the role to update per-panel filters on dashboards. See Configure per-panel filtering in Splunk Enterprise Security. | X | ||
| edit_modinput_app_permissions_manager | Allows you to edit app permissions manager. Required for essinstall. | X | ||
| edit_modinput_threatlist | Change intelligence download settings. | X | ||
| edit_risk_factors | Change risk factor settings. See Create risk factors to adjust risk scores in Splunk Enterprise Security. | X | ||
| edit_threat_intel_collections | Upload threat intelligence and perform CRUD operations on threat intelligence collections using the REST API. | X | ||
| edit_modinput_ess_content_importer | Allows you to import content from installed applications. | X | ||
| migrate_correlationsearches | (Internal) Used by the background script to migrate detections. | X | ||
| edit_managed_configurations | Make changes to the general settings or the list of editable lookups. See Configure general settings for Splunk Enterprise Security. | X | ||
| manage_all_investigations | Allows the role to view and make changes to all investigations. See Managing access to investigations in Splunk Enterprise Security. | X | ||
| edit_analyticstories | Allows the role to make changes to analytics stories. See Manage analytics stories in Splunk Enterprise Security | X | X | |
| edit_timeline | Create and edit investigations. Roles with this capability can make changes to investigations on which they are a collaborator. See Collaborate on investigations in Splunk Enterprise Security. | X | X | |
| can_own_notable_events | Allows the role to be an owner of findings. | X | X | |
| edit_managed_configurationsschedule_search | Create lookup tables that can be populated by a search. See Create search-driven lookups in Splunk Enterprise Security. | X | ||
| edit_modinput_app_imports_update | Allows you to update app imports with all apps matching a given regular expression. | X | ||
| mc_assets_read | Allows retrieving asset data via public API. | X | X | X |
| mc_identity_read | Allows retrieving identity data via public API. | X | X | X |
| mc_risk_score_read | Allows retrieving a list of risk scores by Entity via public API. | X | X | X |
| mc_risk_score_write | Allows adding risk modifiers for an entity via public API. | X | X | |
| mc_investigation_read | Viewing investigation data, such as viewing the Investigation’s Overview or retrieving investigation data through public APIs. | X | X | X |
| mc_investigation_write | Edit investigation data, such as applying a response plan to an investigation or editing an investigation through public APIs. | X | X | |
| mc_display_id | Allows retrieving and creating human readable IDs for investigations in Splunk Mission Control. | X | ||
| edit_missioncontrol_agreements | Accept the initial user agreement and activate or deactivate Splunk Mission Control. | |||
| edit_intelligence_management | Create, edit, delete, and activate intelligence workflows with Threat Intelligence Management in Splunk Mission Control. | X | X | |
| mc_delete_soar_asset | Delete assets in Splunk SOAR (Cloud). | |||
| mc_edit_soar_apps | Edit apps in Splunk SOAR (Cloud). | |||
| mc_edit_soar_assets | Edit assets in Splunk SOAR (Cloud). | |||
| mc_health_report | Call the health report endpoint on Splunk Mission Control. | X | X | X |
| mc_incident_settings_read | View the Splunk Mission Control settings page. | X | ||
| mc_incident_settings_edit | Edit Splunk Mission Control settings. | X | ||
| mc_response_template_view | View response templates. | X | X | X |
| mc_response_template_edit | Edit response templates. | X | ||
| mc_trigger_backfill | Trigger all incidents in the backfill to get pushed directly to Splunk SOAR. | |||
| mc_view_soar_apps | View apps in Splunk SOAR (Cloud). | |||
| mc_view_soar_assets | View assets in Splunk SOAR (Cloud). | |||
| mc_incident_sla_settings_read | View the Splunk Mission Control incident settings SLA page. | X | X | X |
| mc_incident_sla_settings_edit | Edit the Splunk Mission Control incident SLA settings. | X | ||
| mc_view_soar_system_settings | View system settings in Splunk SOAR (Cloud). | |||
| mc_edit_soar_system_settings | Edit system settings in Splunk SOAR (Cloud). | |||
| mc_view_soar_custom_lists | View custom lists in Splunk SOAR (Cloud). | |||
| mc_edit_soar_custom_lists | Edit custom lists in Splunk SOAR (Cloud). | |||
| mc_delete_soar_custom_lists | Delete custom lists in Splunk SOAR (Cloud). | |||
| mc_view_soar_users_roles | View users and their roles in Splunk SOAR (Cloud). | |||
| mc_view_im_data | Access Threat Intelligence Management data. |