Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install the Splunk App for SOAR Export on Splunk Cloud Platform

Installing the Splunk App for SOAR Export on Splunk Cloud Platform is a 2-step process. Be sure to complete both parts of the process.

1. Work with your support team to meet Splunk Cloud Platform requirements

Work with your support team to make sure your Splunk Cloud Platform environment is ready to install the Splunk App for SOAR Export:

The steps in this section are required for proper functioning of the Retry feature, which is responsible for preventing data loss. In the event of a disconnection between Splunk Cloud Platform and Splunk SOAR, the Retry feature will send events when the systems are reconnected.

To verify that your Splunk Cloud Platform environment is ready to install the Splunk App for SOAR Export, follow these steps:

  1. The Splunk App for SOAR Export requires that a user with administrative privileges installs both Splunk App for SOAR Export and Splunk software. In situations where events can't be sent from Splunk Cloud Platform to Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. Splunk App for SOAR Export automatically runs the phantom_retry.py script every 60 seconds to try to send any events that could not be sent earlier.
  2. Confirm with the support team to make sure that the user invoking the phantom_retry.py script has phantom role permissions.
  3. Your Splunk SOAR instance must be running in the DMZ or perimeter network with the appropriate firewalls or reverse proxies to support internal connectivity.
  4. Submit a support request to the Splunk Cloud Platform team to assist you with TLS certificate configuration.
  5. Splunk SOAR requires a publicly valid certificate chain. The cacerts.pem file must be configured into a single PEM certificate file with the server, intermediate, and root certificates.

2. Install Splunk App for SOAR Export in Splunk Cloud Platform

To install Splunk App for SOAR Export, follow these steps:

  1. In Splunk Cloud Platform, select the Apps gear icon.
  2. Select Browse more apps.
    The Splunk App Browser opens.
  3. In the search field, enter SOAR Export.
  4. Locate Splunk App for SOAR Export, then select Install.
  5. Enter your Splunk.com login credentials (username and password).
  6. Select Agree and Install.
    This confirms that you accept the license terms and installs the app on your deployment.
Last modified on 27 February, 2024
PREVIOUS
Check prerequisites for Splunk App for SOAR Export on Splunk Cloud Platform 		  NEXT
Upgrade Splunk App for SOAR Export on Splunk Cloud Platform

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3, 4.3.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters