Splunk® App for SOAR

Install and Configure Splunk App for SOAR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Set up remote search on a standalone Splunk Enterprise instance

If you are using Splunk SOAR version 6.2.0 or higher, use the universal forwarder. See Set up universal forwarder using Splunk SOAR version 6.2.0 or higher.

This article is for standalone Splunk Enterprise instances only. For Splunk Cloud Platform instances or distributed Splunk Enterprise instances, see Set up remote search on a distributed Splunk Enterprise instance or Splunk Cloud Platform instance.

This article describes logs for data within Splunk SOAR. For information on logs for the system where Splunk SOAR is installed, see Configure SOAR system logs using Splunk App for SOAR.

This is an overview of the steps needed to connect your Splunk SOAR instance or cluster to a standalone external Splunk Enterprise instance. Steps here link to detailed steps later in this article.

  1. Before you begin: Create the required user accounts and add the required indexes on the Splunk Enterprise environment for Splunk SOAR.
  2. Set up the HTTP Event Collector on the standalone Splunk Enterprise instance.
  3. Configure Splunk SOAR to use an external Splunk Enterprise deployment.

Before you begin

Complete this section before continuing with the appropriate section below.

Assign required roles

Confirm that you have assigned the required roles, as described in Assign roles for Splunk App for SOAR.

Add required indexes for a new token

These indexes are required to create a new HTTP Event Collector (HEC) token, regardless of your configuration.

When you are creating the new token, add all the indexes listed below, including any custom indexes, and move them to the Selected item(s) list. Then, select the index you want to use as the default index, such as phantom_app. The following screenshot shows an example.

This screenshot shows the Input Settings page when adding a new token for a data input on the Splunk platform. The Index field is highlighted, showing a series of index names starting with "phantom_" that are moved from the Available items column to the Selected items column.

The following is a list of all the Splunk SOAR indexes available for the HTTP Event Collector:

  • phantom_action_run
  • phantom_app
  • phantom_app_run
  • phantom_artifact
  • phantom_asset
  • phantom_container
  • phantom_container_attachment
  • phantom_container_comment
  • phantom_custom_function
  • phantom_decided_list
  • phantom_note
  • phantom_playbook
  • os
  • splunk_app_soar

On the HTTP Event Collector page, copy the token value for the new token. You will need this value when you configure Splunk SOAR. If you don't copy it now, you can return to the HTTP Event Collector page to obtain the value later when you need it.

The splunk_app_soar index is used in inputs.conf and is part of the SOAR System Logs. Both the splunk_app_soar and the os index are used for ITSI.

Using custom prefixes

If you have multiple Splunk SOAR instances in your environment, you can append a custom prefix to the index created on the Splunk Enterprise instance. Use the custom prefix to create separate indexes for each Splunk SOAR instance, which provides data separation and the ability to correlate each index with the appropriate Splunk SOAR instance. For more information, if you are using Splunk SOAR (On-premises), see Define a custom index per Splunk SOAR (On-premises) instance page in the Administer Splunk SOAR (On-premises) manual.

If you want to define a custom prefix, the admin user defined in this command must also be assigned the splunk_app_soar role:


phenv set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>

Set up the HTTP Event Collector on the standalone Splunk Enterprise instance

Enable the HTTP Event Collector (HEC) on the Splunk Enterprise instance and create a new token so you can use the HEC. Repeat these tasks on other indexers if those other indexers require separate HEC tokens. See Scale HTTP Event Collector with distributed deployments in the Splunk Enterprise Getting Data In manual for more information.

See Configure HTTP Event Collector on Splunk Enterprise for instructions.


Restart Splunk Enterprise if your Splunk SOAR indexes are not recognized

In some cases, Splunk Enterprise does not recognize Splunk SOAR indexes, in which case some data, such as the custom-function data, won't be indexed. You will see an error like the following example in your Splunk logs:

03-15-2021 19:10:07.802 +0000 WARN  IndexAdminHandler [23800 TcpChannelThread] - idx=newsearch_phantom_custom_function Unable to reload indexer after adding: reason='already reloading or shutting down, will not reload'. Restart required.

Restart your Splunk Enterprise instance to resolve this issue.

Configure Splunk SOAR to use an external Splunk Enterprise deployment

After the remote-search service is installed and the required user accounts are created, configure Splunk SOAR to use the external Splunk Enterprise instance.

Verify that you have required information before adding the external Splunk Enterprise instance

Before proceeding, verify that you have the following:

  • The host name and the REST API port number of your Splunk Enterprise instance.
  • The HTTP Event Collector token.
  • The indexes required for the HTTP Event Collector token. See Required indexes for a new token in this topic.
  • The user names and passwords for the user accounts with the ​phantomsearch​ and ​phantomdelete​ roles.

Add the external Splunk instance

Perform the following tasks to add the external Splunk Enterprise instance deployment.

  1. Log in to Splunk SOAR as an administrative user.
  2. From the ​main menu​, select ​Administration​.
  3. Select Administration Settings​.
  4. Select Search Settings​.
  5. In the Search Endpoint field​, select the radio button for External Splunk Enterprise Instance​.
    1. In the Enable Splunk Search Endpoint section, type the host name of your Splunk Enterprise instance in the ​Host​ field.
    2. In the User with Search Privileges field, type the username and password for the user account with the ​phantomsearch​ role in the ​Username​ and ​Password​ fields.
    3. In the User with Delete Privileges field, type the username and password for the user account with the ​phantomdelete role in the ​Username​ and ​Password​ fields.
    4. Enter the port number that the Splunk Enterprise instance uses to listen for REST API calls in the REST Port​ field.
    5. Select the ​Use SSL for REST​ checkbox to enable SSL for REST API calls.
    6. Select the Verify Certificate for REST checkbox to enable SSL certificate verification.
    7. Enter the port number for the HTTP Event Collector on the Splunk instance in the ​HTTP Event Collector Port​ field. The default HEC port is 8088.
    8. Select the ​Use SSL for HTTP Event Collector​ checkbox to enable SSL for the HTTP Event Collector.
    9. Select the Verify Certificate for HTTP Event Collector checkbox to enable SSL certificate verification.
    10. Paste the HTTP Event Collector token in the ​HTTP Event Collector Token​ field.
    11. Select Test Connection to verify the connection to your Splunk Enterprise instance deployment.
  6. Select ​Save Changes.
Last modified on 05 December, 2023
PREVIOUS
Reindex data
  NEXT
Set up remote search on a distributed Splunk Enterprise instance or Splunk Cloud Platform instance

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters