Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR

You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk SOAR. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.

Notable events appear as artifacts in Splunk SOAR. If you create a correlation search for an adaptive response action that creates a notable, along with your Send to SOAR or Run Playbook in SOAR request, the event_id of the notable is also sent to Splunk SOAR as a CEF value in the artifact.

To send notable events with a heavy forwarder, use adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.

If your SOAR connection is not successful, you can save events to be sent to SOAR later. Events cannot be saved to be sent later if their key names contain periods.

Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk SOAR:

  1. In Splunk Web, navigate to the Splunk Enterprise Security app.
  2. Select the Incident Review tab.
  3. From the time range picker, select the time period to view the data, and select Submit. Notable events from your selected time range appear in a table.
  4. For a notable event, in the Actions column, select Run Adaptive Response Actions.
  5. In the Adaptive Response Actions dialog, select Add New Response Actions.
  6. Select the desired response action:
    • Select Send to SOAR to send an artifact to Splunk SOAR.
    • Select Run Playbook in SOAR to send an artifact to Splunk SOAR while running a playbook.
  7. In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
    Field Required? Description
    SOAR Instance Required
    • If you are running a Send to SOAR adaptive response action, select the Splunk SOAR instance you are connecting to.
    • If you are running a Run Playbook in SOAR adaptive response action, select the Splunk SOAR instance you are connecting to and playbook you want to run.
    Sensitivity Optional (Recommended) Sensitivity level for the forwarded event.
    Specify a sensitivity level for your search. If you do not specify a setting, Sensitivity is set as the value used in Splunk SOAR. The Splunk SOAR sensitivity default value is TLP: Amber.
    Severity Required Severity level for the forwarded event.
    Any custom severity levels you created in Splunk SOAR appear in this list. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to a Splunk SOAR server or Splunk SOAR in this user guide and Create custom severity names in the Splunk SOAR documentation.
    Label Optional Label for the forwarded event. Your label must match a label that exists in Splunk SOAR, such as the default label events or any custom labels created by Splunk SOAR users. See Troubleshoot the Splunk App for SOAR Export for an example search that you can use to verify that you successfully added your label.
    Grouping Optional Select the check box if you want events forwarded to Splunk SOAR to be grouped into one container, rather than in separate containers.


    Requires that the Splunk Common Information Model (CIM), Splunk Enterprise Security (ES), or both are also installed in your Splunk instance.

    Container Name Optional Name for the container created in Splunk SOAR. Choose one of the following options as the name of the container:
    • Search Name uses the name of the adaptive response action. (Default value)
    • Source uses the source of the event that triggered the adaptive response action.
    Worker Set Optional The search head or heavy forwarder that will send the notable events from Splunk ES to Splunk SOAR:
    Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.


    Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk SOAR.

  8. Select Run.

If you specified a description in your correlation search, that description is also sent to Splunk SOAR as the container description.

To view results for your Splunk SOAR instance and playbook, you must run the sync playbooks command from the Splunk SOAR Server Configuration page in the Splunk App for SOAR Export. See Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.

Run adaptive response actions using the sendalert command

The graphical user interface is the preferred method for running adaptive response actions. If you choose, you can also use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk SOAR instance.

The sendalert command values are case sensitive cannot include extra spaces. To ensure you are using the correct parameter values, copy the values from the Alert Action user interface, described earlier in this article.

Send to SOAR request

Here is an example of a sendalert command for a Send to SOAR (sendtophantom) request: 

| makeresults 
| eval src_ip="123.45.66.77" 
| sendalert sendtophantom param.phantom_server="automation (https://10.1.18.201)" param.sensitivity="amber" param.severity="low" param.grouping="1" param.label="events" param._cam_workers="[\"local\"]"

If the sendalert command runs successfully, the phantom_sendtophantom_modalert.log file includes an entry like this: 

2024-03-12 15:20:09,420 INFO pid=19991 tid=MainThread file=cim_actions.py:message:436 | sendmodaction - worker="localhost.localdomain" signature="Running action 'sendtophantom' to forward a single event to 'automation (https://10.1.18.201)' and grouped into a single container" action_name="sendtophantom" sid="1710282002.4286" rid="0" app="search" user="admin" digest_mode="1" action_mode="adhoc" action_status="success"

The following table provides basic information for the sendalert command parameters for a sendtophantom request. For more detailed descriptions, refer to the table in the section on using the graphical user interface.

Field Required? Data type Description
param.server_playbook_name Required <string> server_playbook_name
param.severity Required <string> severity
param.sensitivity Optional (Recommended) <string> sensitivity
param.label Optional <string> label
param.grouping Optional <string> grouping
1 = grouped
0 = not grouped
param.relay_account Optional <string> relay_account (the Alert Action Account)
param.container_name Optional <string> search_name (default) or source.
param._cam_workers Optional <string> adaptive response relay worker
Use "[\"local\"]" if running locally. For example: param._cam_workers="[\"local\"]"

Run Playbook in SOAR request

Here is an example of a sendalert command for a Run Playbook in SOAR (runphantomplaybook) request: 

| makeresults 
| eval src_ip="123.45.66.77" 
| sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"

If the sendalert command runs successfully, the phantom_runphantom_playbook_modalert.log file includes an entry like this: 

2024-03-19 14:55:09,308 INFO pid=9630 tid=MainThread file=cim_actions.py:message:436 | sendmodaction - worker="lab1" signature="Running action 'runphantomplaybook' to forward multiple events to 'Default'" action_name="runphantomplaybook" sid="1710885307.6685" rid="0" app="search" user="admin" digest_mode="1" action_mode="adhoc" action_status="success"

The following table provides basic information for the sendalert command parameters for a runphantomplaybook request. For more detailed descriptions, refer to the table in the section on using the graphical user interface.

Field Required? Data type Description
param.server_playbook_name Required <string> name of the server and playbook to run
param.severity Required <string> severity
param.sensitivity Optional (Recommended) <string> sensitivity
param.label Optional <string> label
param.grouping Optional <string> grouping
1 = grouped
0 = not grouped
param.relay_account Optional <string> relay_account
param.container_name Optional <string> search_name (default) or source
param.search_description Optional <string> description of saved search or correlation search
param._cam Optional <json> active response parameters
param._cam_workers Optional <string> adaptive response relay worker
Use "[\"local\"]" if running locally. For example: param._cam_workers="[\"local\"]"

Troubleshooting the sendalert command

In some cases, you might see an error like this from the sendalert command: 

Error in 'sendalert' command: Alert script returned error code 3

To find the cause of the error, follow these steps:

  1. Open a new browser tab for the Splunk platform. Navigate to the Search tab.
  2. In the Search field, enter one of the following searches, based on your sendalert command:
    index="cim_modactions" | search sendtophantom
    index="cim_modactions" | search runphantomplaybook
  3. A list displays, showing all sendtophantom or runphantomplaybook events. Select the arrow next to the most recent event to expand its details. You might see a message about a missing required field or a mismatched value.
  4. Return to your original browser tab for the Splunk platform, update the sendalert command, and run it again.
Last modified on 25 March, 2024
PREVIOUS
Create and export data models and saved searches to send to Splunk SOAR 		  NEXT
Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters