Capability reference for Splunk Enterprise Security

Splunk Enterprise Security uses capabilities to control access to specific features. Capabilities are defined in the authorize.conf configuration file for Splunk Enterprise Security. The following reference table defines relevant capabilities for Splunk Enterprise Security and specifies which roles include each capability by default.
Note:

Do not remove the list_inputs capability from a role

Capability Description ess_user ess_analyst ess_admin
edit_filter_sets Allows a Splunk Enterprise Security administrator to configure specific views for analysts based on their roles in the organization. Also allows users and analysts to see the saved views that are available to them. X X
edit_uba_settings Access data from Splunk Enterprise to Splunk UBA. X
edit_cam_queue Write the Common Action Model (CAM) queue. See Configure adaptive response action relays in Splunk Enterprise Security. X
edit_modinput_configuration_check Allows you to run configuration checks. X
edit_notable_events Create ad-hoc findings from search results. See Configure findings manually to track specific fields in Splunk Enterprise Security. X X
admin_all_objects
list_storage_passwords
list_app_certs
edit_app_certs
delete_app_certs		 Manage credentials and certificates for Splunk Enterprise Security and other apps. Cannot be set on the Permissions page. See Manage credentials in Splunk Enterprise Security. X
edit_modinput_data_migrator Allows you to perform one-time data migrations. X
edit_modinput_dm_accel_settings

Identify who can edit the Data Model Acceleration modular input. DMA is turned on for the required data models using a modular input by default.

 X
edit_modinput_whois Make changes to edit the modular name by using the "whois" feature. X
edit_search_schedule_priority
edit_search_schedule_window		 Edit the schedule priority and schedule window of detections. X
edit_correlationsearches
schedule_search		 Edit detections. Users with this capability can also export content from Content Management as an app. See Export content as an app from Splunk Enterprise Security. X
edit_modinput_es_deployment_manager Use distributed configuration management. See Deploy add-ons included with Splunk Enterprise Security. X
edit_es_navigation Make changes to the Splunk Enterprise Security navigation. See Customize the menu bar in Splunk Enterprise Security. X
edit_modinput_identity_manager Manage asset and Identity lookup configurations. See Add asset and identity data to Splunk Enterprise Security,How asset and identity correlation works, and Manage assets and identities in Splunk Enterprise Security. X
edit_log_review_settings Make changes to the analyst queue settings. See Configure the settings for the analyst queue in Splunk Enterprise Security. X
edit_lookups, edit_managed_configurations Create and make changes to lookup table files. See Create and manage lookups in Splunk Enterprise Security. X
edit_reviewstatuses Make changes to the status of a finding or an investigation. See Change the status of a finding or an investigation in Splunk Enterprise Security. X
edit_suppressions Edit Splunk eventtypes in the Threat Intelligence supporting add-on, and create and edit suppressions for findings. See Create suppression rules for findings in Splunk Enterprise Security.

The ess_user and ess_analyst roles don't have the default ability to edit suppressions through Splunk Web. However, they have the ability to perform read and write operations on eventtypes, so they can edit suppressions through the event types interface.

 X
edit_notable_events Make changes to findings, such as assigning them and transition them between statuses. Statuses for Splunk Enterprise Security investigations are stored in the reviewstatuses.conf file. See Manage analyst workflows using the analyst queue in Splunk Enterprise Security. X X
edit_per_panel_filters Permits the role to update per-panel filters on dashboards. See Configure per-panel filtering in Splunk Enterprise Security. X
edit_modinput_app_permissions_manager Allows you to edit app permissions manager. Required for essinstall. X
edit_modinput_threatlist Change intelligence download settings. X
edit_risk_factors Change risk factor settings. See Create risk factors to adjust risk scores in Splunk Enterprise Security. X
edit_threat_intel_collections Upload threat intelligence and perform CRUD operations on threat intelligence collections using the REST API. X
edit_modinput_ess_content_importer Allows you to import content from installed applications. X
migrate_correlationsearches (Internal) Used by the background script to migrate detections. X
edit_managed_configurations Make changes to the general settings or the list of editable lookups. See Configure general settings for Splunk Enterprise Security. X
manage_all_investigations Allows the role to view and make changes to all investigations. See Managing access to investigations in Splunk Enterprise Security. X
edit_analyticstories Allows the role to make changes to analytics stories. See Manage analytics stories in Splunk Enterprise Security X X
edit_timeline Create and edit investigations. Roles with this capability can make changes to investigations on which they are a collaborator. See Collaborate on investigations in Splunk Enterprise Security. X X
can_own_notable_events Allows the role to be an owner of findings. X X
edit_managed_configurations
schedule_search		 Create lookup tables that can be populated by a search. See Create search-driven lookups in Splunk Enterprise Security. X
edit_modinput_app_imports_update Allows you to update app imports with all apps matching a given regular expression. X

mc_assets_read Allows retrieving asset data via public API. X X X
mc_identity_read Allows retrieving identity data via public API. X X X
mc_risk_score_read Allows retrieving a list of risk scores by Entity via public API. X X X
mc_risk_score_write Allows adding risk modifiers for an entity via public API. X X
mc_investigation_read Viewing investigation data, such as viewing the Investigation’s Overview or retrieving investigation data through public APIs. X X X
mc_investigation_write Edit investigation data, such as applying a response plan to an investigation or editing an investigation through public APIs. X X
mc_display_id Allows retrieving and creating human readable IDs for investigations in Splunk Mission Control. X
edit_missioncontrol_agreements Accept the initial user agreement and activate or deactivate Splunk Mission Control.
edit_intelligence_management Create, edit, delete, and activate intelligence workflows with Threat Intelligence Management in Splunk Mission Control. X X
mc_delete_soar_asset Delete assets in Splunk SOAR (Cloud).
mc_edit_soar_apps Edit apps in Splunk SOAR (Cloud).
mc_edit_soar_assets Edit assets in Splunk SOAR (Cloud).
mc_health_report Call the health report endpoint on Splunk Mission Control. X X X
mc_incident_settings_read View the Splunk Mission Control settings page. X
mc_incident_settings_edit Edit Splunk Mission Control settings. X
mc_response_template_view View response templates. X X X
mc_response_template_edit Edit response templates. X
mc_trigger_backfill Trigger all incidents in the backfill to get pushed directly to Splunk SOAR.
mc_view_soar_apps View apps in Splunk SOAR (Cloud).
mc_view_soar_assets View assets in Splunk SOAR (Cloud).
mc_incident_sla_settings_read View the Splunk Mission Control incident settings SLA page. X X X
mc_incident_sla_settings_edit Edit the Splunk Mission Control incident SLA settings. X
mc_view_soar_system_settings View system settings in Splunk SOAR (Cloud).
mc_edit_soar_system_settings Edit system settings in Splunk SOAR (Cloud).
mc_view_soar_custom_lists View custom lists in Splunk SOAR (Cloud).
mc_edit_soar_custom_lists Edit custom lists in Splunk SOAR (Cloud).
mc_delete_soar_custom_lists Delete custom lists in Splunk SOAR (Cloud).
mc_view_soar_users_roles View users and their roles in Splunk SOAR (Cloud).
mc_view_im_data Access Threat Intelligence Management data.