I found this document https://saviynt.freshdesk.com/support/solutions/articles/43000666823-splunk-integration-guide . It looks like document is for Splunk on prem. We have Splunk SaaS. Has anyone done Saviynt integration with Splunk SaaS? Is any documentation available for that?
As per the Splunk doc - https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Admin/SelfServiceAppInstall, Add-on installation should work on Splunk Cloud Deployments as well. Go ahead and try installing the SPL file in the documentation - https://saviynt.freshdesk.com/support/solutions/articles/43000666823-splunk-integration-guide on your Splunk instance.
Can you review this option https://docs.splunk.com/Documentation/AddOns/released/Overview/SplunkCloudinstall#Install_add-ons_to...
and confirm if you are able to install the Saviynt addon to consume audit logs
Splunk vendor has suggested that they are able to go ahead with the add-on install. We are still facing issue with following document to create Saviynt user with correct permissions. Options to set up permissions in the Sav role are not visible as per screenshot. Saviynt SIEM Integration : Customer Portal (freshdesk.com)
Let me tell you I have spent hours working through this very issue for our Splunk issue and have mostly figured it out! The documentation seems very incomplete as the listed features for the role are not sufficient for the API calls to the runtime analytic to work correctly. I am still narrowing it down to the least permissions, but I do have it working now without using ROLE_ADMIN. If you share more specifics on where you are at on this I can try to provide guidance.
Create a new savrole - ROLE_SIEM and based on the analytics version you use to create the runtime analytics, add the below access in your access tab of the sav role.
Analytics V1 -> SUBMENU.WEBSERVICE.api_v5_fetchRuntimeControlsData
Analytics V2 -> SUBMENU.WEBSERVICE.api_v5_fetchRuntimeControlsDataV2
psejpal, can you confirm which option was used to configure the addon so that other community members can also benefit from this information.
Regarding the follow-up question on SAV role access, please refer following response - For webservices the access is fine grained and can be controlled to specific webservices that are required to support the functionality. In this case the minimum access needed is to invoke the result of Analytics webservice fetchRuntimeControlsDataV2 (assuming you would are using V2 ES analytics). So you have to configure this access in the SAV role assigned to the service account that you are using in splunk.
As a best practice to grant access to service account, limit it to the APIs that you will need for the use case that is being implemented. Do not use Role_Admin Sav role for service account as this will grant a lot more access than needed.
Splunk has accepted that add on can be used on SaaS splunk as well . It's not completed yet but I will update once vendor installs it and if it works.
As far as the permission goes, I don't see fetchRuntimeControlsDataV2 permission in the list at all. So far now we have provided some more permissions and slowly we will have to reduce it.
psejpal, just noticed that you are on v5.5 sp3, so the fetchRuntimeControlsDataV2 API is not applicable for your version. (The list of APIs is available in the following document https://documenter.getpostman.com/view/1797923/TVsvi7G2?version=latest#40ca8455-ba53-4c04-87f7-146ad...)
Search fetchRuntimeControlsData, you should be able to find it.