Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise

Verify that your environment is ready to use the Splunk App for SOAR Export to integrate Splunk SOAR with your Splunk Enterprise deployment.

Required user privileges and ports

Verify the following user privileges and ports:

  • The Splunk App for SOAR Export requires that a user with administrative privileges installs both the Splunk App for SOAR Export and Splunk software. In situations where events can't be sent from the Splunk platform to Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. Splunk App for SOAR Export automatically runs the phantom_retry.py script every 60 seconds to try to send any events that could not be sent earlier.
  • By default, Splunk SOAR must have TCP ports 443 and 8089 open to and from Splunk Enterprise Security (ES) search heads.
    If you are using other TCP ports to connect to Splunk Enterprise Security search heads, substitute those ports. Be consistent with the substituted TCP port numbers.
  • In your on-premises deployment, verify that you have the necessary network availability among all devices.

Splunk product compatibility matrix

Use this matrix to determine the compatibility of the Splunk App for SOAR Export with certain versions of Splunk Cloud Platform or Splunk Enterprise and Splunk SOAR (Cloud) or Splunk SOAR (On-premises). You can use all versions that appear in a single row interchangeably. Splunk Enterprise Security is not required for Splunk App for SOAR Export.

Notations like Splunk Enterprise Security versions 6.5.1, 6.5.x mean that Splunk Enterprise Security version 6.5.1 or any 6.5.x release later than 6.5.1 is required.

Splunk App for SOAR Export version Splunk Enterprise version Splunk Cloud Platform version Splunk Enterprise Security version Splunk SOAR (On-premises) version Splunk SOAR (Cloud) Version
4.3.2
(CIM version 5.1.1) 		9.2.1 9.1.2312 7.3.1 6.2.0
6.2.1 		6.2.0
6.2.1
9.1.3
9.2.0 		9.1.2308
9.1.2312 		7.3.0 6.2.1 6.2.1
9.1.2
9.1.3
9.2.0
9.2.1 		9.1.2308
9.1.2312 		7.3.0 6.2.0 6.2.0
9.1.1
9.1.2
9.2.0 		9.1.2308 7.2.0 6.1.1
6.2.0 		6.1.1
6.2.0
9.1.0.2
9.1.1 		9.0.2305
9.1.2308 		7.2.0 6.1.0
6.1.1 		6.1.0
6.1.1
9.0.5
9.1.0.2
9.1.1 		9.0.2303
9.0.2305 		7.1.1 6.1.0
6.1.1 		6.1.0
6.1.1

Required app

Make sure you have the following app installed on your Splunk Enterprise deployment:

App Description
Common Information Model Download the Splunk Common Information Model (CIM) from Splunkbase. If you have Splunk Enterprise Security (ES) installed, you don't need to download this library as it is already included with Splunk ES.


This app is required for the automated mapping models in adaptive response actions on the Splunk platform to work correctly.

Last modified on 09 April, 2024
PREVIOUS
About Splunk App for SOAR Export 		  NEXT
Install Splunk App for SOAR Export on Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters