Set up remote search on a standalone Splunk Enterprise instance
If you are using Splunk SOAR version 6.2.0 or higher, use the universal forwarder. See Set up universal forwarder using Splunk SOAR version 6.2.0 or higher.
This article is for standalone Splunk Enterprise instances only. For Splunk Cloud Platform instances or distributed Splunk Enterprise instances, see Set up remote search on a distributed Splunk Enterprise instance or Splunk Cloud Platform instance.
This article describes logs for data within Splunk SOAR. For information on logs for the system where Splunk SOAR is installed, see Configure SOAR system logs using Splunk App for SOAR.
This is an overview of the steps needed to connect your Splunk SOAR instance or cluster to a standalone external Splunk Enterprise instance. Steps here link to detailed steps later in this article.
- Before you begin: Create the required user accounts and add the required indexes on the Splunk Enterprise environment for Splunk SOAR.
- Set up the HTTP Event Collector on the standalone Splunk Enterprise instance.
- Configure Splunk SOAR to use an external Splunk Enterprise deployment.
Before you begin
Complete this section before continuing with the appropriate section below.
Assign required roles
Confirm that you have assigned the required roles, as described in Assign roles for Splunk App for SOAR.
Add required indexes for a new token
These indexes are required to create a new HTTP Event Collector (HEC) token, regardless of your configuration.
When you are creating the new token, add all the indexes listed below, including any custom indexes, and move them to the Selected item(s) list. Then, select the index you want to use as the default index, such as phantom_app
.
The following is a list of all of the Splunk SOAR indexes available for the HTTP Event Collector:
- phantom_action_run
- phantom_app
- phantom_app_run
- phantom_artifact
- phantom_asset
- phantom_container
- phantom_container_attachment
- phantom_container_comment
- phantom_custom_function
- phantom_decided_list
- phantom_note
- phantom_playbook
- os
- splunk_app_soar
On the HTTP Event Collector page, copy the token value for the new token. You will need this value when you configure Splunk SOAR. If you don't copy it now, you can return to the HTTP Event Collector page to obtain the value later when you need it.
The splunk_app_soar
index is used in inputs.conf
and is part of the SOAR System Logs. Both the splunk_app_soar
and the os
index are used for ITSI.
Using custom prefixes
If you have multiple Splunk SOAR instances in your environment, you can append a custom prefix to the index created on the Splunk Enterprise instance. Use the custom prefix to create separate indexes for each Splunk SOAR instance, which provides data separation and the ability to correlate each index with the appropriate Splunk SOAR instance. For more information, if you are using Splunk SOAR (On-premises), see Define a custom index per Splunk SOAR (On-premises) instance page in the Administer Splunk SOAR (On-premises) manual.
If you want to define a custom prefix, the admin user defined in this command must also be assigned the splunk_app_soar role:
phenv set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>
Set up the HTTP Event Collector on the standalone Splunk Enterprise instance
Enable the HTTP Event Collector (HEC) on the Splunk Enterprise instance and create a new token so you can use the HEC. Repeat these tasks on other indexers if those other indexers require separate HEC tokens. See Scale HTTP Event Collector with distributed deployments in the Splunk Enterprise Getting Data In manual for more information.
See Configure HTTP Event Collector on Splunk Enterprise for instructions.
Restart Splunk Enterprise if your Splunk SOAR indexes are not recognized
In some cases, Splunk Enterprise does not recognize Splunk SOAR indexes, in which case some data, such as the custom-function data, won't be indexed. You will see an error like the following example in your Splunk logs:
03-15-2021 19:10:07.802 +0000 WARN IndexAdminHandler [23800 TcpChannelThread] - idx=newsearch_phantom_custom_function Unable to reload indexer after adding: reason='already reloading or shutting down, will not reload'. Restart required.
Restart your Splunk Enterprise instance to resolve this issue.
Configure Splunk SOAR to use an external Splunk Enterprise deployment
After the remote-search service is installed and the required user accounts are created, configure Splunk SOAR to use the external Splunk Enterprise instance.
Verify that you have required information before adding the external Splunk Enterprise instance
Before proceeding, verify that you have the following:
- The host name and the REST API port number of your Splunk Enterprise instance.
- The HTTP Event Collector token.
- The indexes required for the HTTP Event Collector token. See Required indexes for a new token in this topic.
- The user names and passwords for the user accounts with the
phantomsearch
andphantomdelete
roles.
Add the external Splunk instance
Perform the following tasks to add the external Splunk Enterprise instance deployment.
- Log in to Splunk SOAR as an administrative user.
- From the main menu, select Administration.
- Select Administration Settings.
- Select Search Settings.
- In the Search Endpoint field, select the radio button for External Splunk Enterprise Instance.
- In the Enable Splunk Search Endpoint section, type the host name of your Splunk Enterprise instance in the Host field.
- In the User with Search Privileges field, type the username and password for the user account with the
phantomsearch
role in the Username and Password fields. - In the User with Delete Privileges field, type the username and password for the user account with the
phantomdelete
role in the Username and Password fields. - Enter the port number that the Splunk Enterprise instance uses to listen for REST API calls in the REST Port field.
- Select the Use SSL for REST checkbox to enable SSL for REST API calls.
- Select the Verify Certificate for REST checkbox to enable SSL certificate verification.
- Enter the port number for the HTTP Event Collector on the Splunk instance in the HTTP Event Collector Port field. The default HEC port is 8088.
- Select the Use SSL for HTTP Event Collector checkbox to enable SSL for the HTTP Event Collector.
- Select the Verify Certificate for HTTP Event Collector checkbox to enable SSL certificate verification.
- Paste the HTTP Event Collector token in the HTTP Event Collector Token field.
- Select Test Connection to verify the connection to your Splunk Enterprise instance deployment.
- Select Save Changes.
Reindex data | Set up remote search on a distributed Splunk Enterprise instance or Splunk Cloud Platform instance |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.71
Feedback submitted, thanks!