Function in

Description Capability ess_user ess_analyst ess_admin

ES
Edit correlation Edit correlation searches on edit_correlationsearches
searches Content Management. See schedule_search
Configure correlation searches
in Splunk Enterprise Security.
Users with this capability can
also export content from
Content Management as an
app. See Export content as an
app from Splunk Enterprise
Security.

Use distributed configuration

Edit Distributed
management. See Deploy
Configuration edit_modinput_es_deployment_manager X
add-ons included with Splunk
Management
Enterprise Security.

Make changes to the Enterprise

Edit ES Security navigation. See
edit_es_navigation X
navigation Customize the menu bar in
Splunk Enterprise Security.

Manage Asset and Identity

lookup configurations. See Add
asset and identity data to
Edit identity Splunk Enterprise Security,
lookup Enable asset and identity edit_modinput_identity_manager X
configuration correlation in Splunk Enterprise
Security, and Manage assets
and identities in Splunk
Enterprise Security.

Make changes to Incident

Edit Incident Review settings. See Customize
edit_log_review_settings X
Review Incident Review in Splunk
Enterprise Security.

Create and make changes to

lookup table files. See Create edit_lookups,
Edit lookups X
and manage lookups in Splunk edit_managed_configurations
Enterprise Security.

Make changes to the statuses

available to select for
Edit statuses investigations and notable edit_reviewstatuses X
events. See Manage notable
event statuses.

Edit notable Edit Splunk eventtypes in the edit_suppressions X

event Threat Intelligence supporting
suppressions add-on, and create and edit
notable event suppressions.
See Create and manage
notable event suppressions.

The ess_user and

ess_analyst roles don't
have the default ability to
edit suppressions through

30