Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR

Configure a Splunk SOAR server so that the Splunk App for SOAR Export and the Splunk platform can connect to your Splunk SOAR instance.

To configure a Splunk SOAR server, follow these steps:

1. Before you begin, make sure you have added the required roles to the admin user. See Enable Splunk platform users to use Splunk App for SOAR Export.
2. (Optional) If you are connecting to a Splunk Enterprise instance and if you have not configured certificates for Splunk SOAR and the Splunk platform, you can optionally disable HTTP validation on the Splunk Platform. Perform the following steps:
   1. Run the following command and provide the proper username, password, and splunkaddress:

      curl -ku '<username>:<password>' https://<splunkaddress>:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

   2. Return to the Splunk SOAR configuration page and verify that the HTTPS certificate verification is disabled message appears with a warning icon.
3. Navigate to Splunk App for SOAR, installed on your Splunk platform instance.
4. Select the Configurations tab.
5. Select Create Server.
6. To add a new server, use an authorization token from Splunk SOAR. To get an authorization token, follow these steps:
   1. Navigate to your Splunk SOAR instance.
   2. From the main menu, select Administration.
   3. Select User Management, then Users.
   4. You can either use the default automation user and change the allowed IP addresses, or create a new automation user. In this example we will create a new automation user. Select + User to create a new automation user.
   5. Update the Allowed IPs field to reflect the IP address or IP range for the Splunk platform instance.

      Do not use any unless you are troubleshooting or testing.

   6. (Optional) To synchronize custom severity levels you might have created in Splunk SOAR, add the Observer role to this user. In the Roles field, select Observer.
   7. Select Create to create the user.
   8. On the Users page, Select the ellipsis (...) icon for the new automation user and select Edit.
   9. Copy the text in the Authorization Configuration for REST API box.
   10. Select Save.
7. Navigate back to the Splunk App for SOAR on your Splunk platform instance and paste the authorization token in the Authorization Configuration box. Verify that the format of the object looks like the following example:

   {
     "ph-auth-token": "*********",
     "server": "https://10.1.65.229"
   }
   

8. Enter an optional name for the server. This will show up later in Splunk SOAR as your container name, so pick a name you can easily identify.
9. (Optional) Configure a Proxy server. For example:
   • An example HTTP proxy in the format http://[<username>[:password]@]<host>[:<port>]. For example:
     

     http://username:password@172.31.225.254:8080

   • An example HTTPS proxy in the format https://[<username>[:password]@]<host>[:<port>]. For example:
     

     https://username:password@proxy.host.com:8080

10. (Optional) Select Optional: This server will be used for AR Relay if this server will be used in an adaptive response relay configuration. See Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.
11. Select Save. A page shows your new server. If you have multiple servers, they are listed on this page.
12. To test your server, select Manage, then Test Connectivity. A success message appears if the server is working correctly.
13. (Optional) Select Manage, then Sync Playbooks to further test connectivity and make sure that your playbooks are synchronized. See Synchronize the list of available Splunk SOAR playbooks on your Splunk platform.

Do not select Enable debug logging unless directed to do so by Splunk support. Debug logging causes a heavy load on your server.

Synchronize Splunk SOAR information on your Splunk Platform for Adaptive Response Actions

You can run adaptive response action in Splunk Enterprise Security (ES) to send a notable event to Splunk SOAR and also run a playbook on the resulting artifact. Synchronize playbooks and severity levels so they are available in adaptive response action. See Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR for more information about running adaptive response actions in Splunk ES.

Synchronize the list of available playbooks

Perform the following tasks to make sure that the list of available playbooks is current in your Splunk platform. The list of playbooks is maintained in the <SPLUNK_HOME>/etc/apps/phantom/local/phantom.conf file.

1. Navigate to Splunk App for SOAR Export on your Splunk platform.
2. Select the Configurations tab.
3. In the Actions column for the desired server, select Manage, then Sync playbooks.

Synchronize severity levels

If you created custom severity levels in Splunk SOAR, you can use them in adaptive response actions and event forwarding configurations within Splunk App for SOAR Export. Custom severity levels are synchronized when you add a server in Splunk App for Export, using an Automation user with the Observer role, as described earlier in this article. If severities were not synced when you added a server, you can sync them manually by following these steps.

1. Navigate to Splunk App for SOAR Export on your Splunk platform.
2. Select the Configurations tab.
3. In the Actions column for the desired server, select Manage, then Sync severities.

Use caution when deleting custom severity levels that you created in Splunk SOAR and then synchronized with Splunk App for SOAR Export. If an expected custom severity level is no longer present in Splunk SOAR, Splunk App for SOAR Export will designate the event as High severity and apply the tag check_sase_severity. You might choose to create a playbook that searches for check_sase_severity tag and alerts you to check the severity of the event.

For information on creating custom severity names, see Create custom severity names in the Splunk SOAR documentation.