After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Add and configure apps and assets to provide actions in
apps expand the capabilities of your instance by enabling connections to third party products and services. These third-party products and services provide actions you can run or automate in your playbooks. For example, the MaxMind app provides the geolocate ip action for your deployment.
supports apps written in Python 3. Python 2 is not supported after release 5.3.4.
You can upgrade existing apps or install new apps at any time without having to upgrade the entire platform.
Apps have full access to the operating system and there are no security restrictions on any app while it is running.
An asset is a specific configuration, or instance, of an app. An asset is configured with the information required to communicate with the third-party product or service, such as IP address, automation service account, username, and password.
For example, ships with a VMware vSphere app enabling to get information from and take actions against a vSphere host. You can use to start and stop VMs, take snapshots, and download memory snapshots for analysis. In order for the app to be able to communicate with your vSphere servers, you must provide login credentials such as the hostname or IP address. You might have multiple vSphere servers, such as several individual ESXi hosts, or you might have them centralized onto one vCenter server. To tell about a given vSphere server, create a vSphere asset and provide the address and credentials needed for that server. You can then create another vSphere asset with a different address and credentials if needed. When taking actions, you specify which asset the action is for.
This table shows how multiple vSphere assets are configured from a vSphere app:
app | Configure multiple assets from a single app |
---|---|
VMware vSphere | vSphere 1
|
vSphere 2
| |
vSphere 3
|
View your Splunk SOAR (On-premises) apps
ships with hundreds of apps already installed. You can find more apps on splunkbase, from other users, and even create your own. See apps overview in Develops Apps for .
Perform the following tasks to view the apps provided by on the Apps page.
- From the Home menu, select Apps to access the Apps page.
- View the list of configured apps on the Configured Apps tab. Any app that has at least one asset configured appears on this page. You can expand each asset to view the configured assets and available actions provided by the app. Click Configure New Asset to configure a new asset for the app. See Add a new asset.
- (Optional) Click Unconfigured Apps to view the list of apps installed on your instance that do not have at least one asset configured.
- (Optional) Click Orphaned Assets to review any assets that no longer have a corresponding app installed.
Install, update, or delete apps on Splunk SOAR (On-premises)
Navigate to the Apps page to install, update, or delete apps.
Install a new Splunk SOAR (On-premises) app
Perform the following steps to install a new app:
- Obtain the new app or develop a new app. See apps overview in Develops Apps for .
- From the Home menu, select Apps.
- Click Install App.
- Drag and drop a .tar or.rpm archive of the app into the file field, or click in the file field and navigate to the location of the app file on your system.
- Click Install.
You can install new apps from Splunkbase:
- From the Home menu, select Apps.
- Click New Apps.
- A list of available apps is displayed.
- If you do not see the app you are looking for, you can search apps by typing search terms into the search bar at the top of the list of apps.
- Select the app you want to install then click Install. If you want to install all available apps click Install All.
- If you are prompted for your credentials, use your Splunk.com login information.
After installing an app using either method, the new app is available on the Unconfigured Apps tab of the Apps page.
For compatibility needs, you can install multiple versions of the same app. However, only one version of the app can be active at a time.
Switching the active version of an app may have unintended consequences. For example, there might be differences among the actions, parameters, or output depending on the version of the app. Be sure to modify any playbooks as needed to be compatible with the active version of the app.
Update existing Splunk SOAR (On-premises) apps
To update an existing app, perform the following steps:
- From the Home menu, select Apps.
- Click App Updates.
- Select any apps with available updates.
- Click Update.
Delete a Splunk SOAR (On-premises) app
Perform the following steps to delete a app:
- From the Home menu, select Apps.
- Click the trash can () icon for the app you want to delete.
- Click Delete to confirm you want to delete the app.
You can re-install any app that you deleted by downloading the app and installing the app again. See Install a new Splunk SOAR (On-premises) app.
View your Splunk SOAR (On-premises) assets
ships with one asset for the DNS, MaxMind, PhishTank, REST Data Source, and WHOIS apps already configured.
To view configured assets, perform the following tasks:
- From the Home menu, select Apps.
- Verify the Configure Apps tab is selected.
- In any app, click the arrow icon corresponding to configured assets to expand the section and view the assets. For example, if an app shows 3 configured assets, click on the arrow to view the configured assets. You can hover over the asset to edit or delete the asset.
Add, edit, or delete a Splunk SOAR (On-premises) asset
Manage the assets in your instance. You can add a new asset, and edit or delete existing assets.
Add a new Splunk SOAR (On-premises) asset
Perform the following steps to create a new asset:
- From the Home menu, select Apps.
- Click Configure New Asset for the desired app.
- In the Asset Name field, enter a name for the asset such as firewall. This name is the one you use when referring to the asset in scripts. Specify the name as a string without spaces or punctuation.
- (Optional) In the Asset Description field, enter a longer and more descriptive name for this asset, such as Perimeter Firewall for the engineering network.
- (Optional) Enter one or more tags for the asset. You can use the same tag for multiple assets to group them together, and then perform actions on all assets with matching tags. See Add tags to objects in .
- Click Save.
The amount of configuration required for each asset is determined by the app. Some assets require additional configuration. For example, if you configure a QRadar asset, you must also configure settings on the Asset Settings and Ingest Settings tabs before you can save the configuration.
- Most assets require authentication information so that can connect to the desired server or service. You can configure authentication for an asset on the Asset Settings tab.
- Data ingestion settings, such as polling intervals and where to put the data once the data is ingested, are configured on the Ingest Settings tab. The destination for ingested data is called a container in .
If you need to connect to assets using the Splunk SOAR Automation Broker, see Configure Connectors to use the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.
Edit a Splunk SOAR (On-premises) asset
Perform the following steps to edit a asset:
- From the Home menu, select Apps.
- Make sure the Configured Apps tab is selected.
- Click on the number of configured assets in the app to expand the section.
- In the table of configured assets, click the asset you want to edit.
- Click Edit, then make any desired changes. You can edit an asset's description, tags, settings, and approval settings. To change the asset name, you must delete the current asset and create a new asset with the desired name.
- Click Save.
Reassign an orphaned Splunk SOAR (On-premises) asset
You can now assign orphaned assets to an App from the user interface.
- From Home > Apps > Orphaned Assets select the orphaned asset.
- Click Assign App.
- In the dropdown menu, select the App, then click Assign.
Delete a Splunk SOAR (On-premises) asset
Perform the following steps to delete a asset.
- From the Home menu, select Apps.
- Make sure the Configured Apps tab is selected.
- Click on the number of configured assets in the app to expand the section.
- In the table of configured assets, click the asset you want to delete.
- Click Delete Asset.
- Click Confirm to confirm that you want to delete the asset.
Configure advanced asset settings
Configure advanced asset settings such as the concurrent action limit, just in time (JIT) credentials, automation users, asset environment variables, and proxies.
Set the concurrent action limit
You can run concurrent actions on an existing asset, or on a new asset by following these steps:
- From the Home menu, select Apps.
- Find the app you want to run an action on and click Configure New Asset. Or, to run concurrent actions on an existing asset, click on your desired preexisting asset.
- Click the Asset Setting tab > Advanced.
- In the Concurrent Action Limit box, enter the number of concurrent actions you want to run on your asset. You can run up to 10 actions at once. Use caution when changing this limit as it can significantly affect performance.
- Run the actions on an asset; evaluate performance.
For information on setting the global action concurrency limit, see Set the global action concurrency limit.
Changing this setting after saving the asset will restart the actionD daemon, interrupting all running actions and associated playbooks.
Disable action lock or action concurrency
Within an action entry, the optional lock key defines a set of parameters that you can set to run actions concurrently.
- A lock is represented by its name.
- Multiple actions locking on the same name will be serialized even if the actions are from different apps.
- In the absence of a lock dictionary, the platform runs the actions concurrently using the asset as the lock name.
To disable the lock for an action, the lock dictionary must be present and the "enabled" key set to false. When "enabled" is set to false, you can run as many concurrent actions as you like.
"lock": { "enabled": false, "data_path": "parameters.hash", "timeout": 600 }
Parameter | Required? | Description |
---|---|---|
enabled | Required | Boolean value that specifies if the lock is enabled or not for this action. |
data_path | Optional | The name of the lock. Only valid if lock is enabled. This value is either a datapath that points to a parameter of the action with parameters.hash where hash is one of the parameters of the action, or a datapath that points to a configuration parameter for something like configuration.server . At runtime, the platform will read the values stored in these data paths and use it as the name of the lock. You can also use a constant string, for example, any string that does not start with configuration. or parameters. The platform will use this value as is. In case the data_path is not specified, the asset will be used as the lock name.
|
timeout | Optional | Specifies the number of seconds to wait to acquire the lock, before an error condition is reported. |
If you have multiple actions with the lock enabled that are scheduled to run on an asset, you may want to exclude only some of them from running concurrently. To exclude a certain action from running concurrently, set concurrency to false in the app JSON. When both "enabled" and "concurrency" are set to true, you can run multiple actions concurrently up to the concurrent action limit. When "enabled" is set to true and "concurrency" is set to false, you can only run a single action.
"lock": { "enabled": true, "concurrency": false }
Parameter | Required? | Description |
---|---|---|
enabled | Required | Boolean value that specifies if the lock is enabled or not for this action. |
concurrency | Optional | By default concurrency is set to true to allow concurrent actions to run on an app. Set concurrency to false to opt out of concurrent actions running on an app.
|
If the lock is enabled on an action, but concurrency is set to false in the app.json, the action will not be counted in the concurrent action limit you set in Asset Settings.
Configure Just In Time Credentials for a Splunk SOAR (On-premises) asset
Some assets can be configured to use just in time (JIT) credentials, which require a user to type in credentials before any further action is taken. Use JIT credentials if your organization has policies against providing credentials in an automated manner, or if you are using one-time passwords.
To configure JIT credentials, perform the following steps:
- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- In the Enable Just in Time credentials for field, select the fields for which you want to enable JIT authentication. For example, select username and password to enable JIT for login credentials.
- Click Save.
Once enabled, JIT uses the asset's approval settings to determine the set of users that must supply the credentials to complete the action. See Configure approval settings for a asset.
To use JIT, you must have at least one approver set up for the asset. If you have selected multiple users that require a quorum to approve, then the last user (the one that would cast the final vote that causes the action to run) must be the one who supplies correct credentials. Earlier users can supply credentials, but the last user supplies the set that is actually used. Anything entered before that user is overwritten by the last user. Note that even if you have "Automatic self-approval" configured in for your own approval vote, you still receive a JIT prompt when credentials are required.
Configure automation users for a Splunk SOAR (On-premises) asset
Define the automation user to specify the service account uses to run the asset. The default account is the automation account provided by .
Perform the following tasks to create a custom automation user in :
- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click on Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
- In the Select a user on behalf of which automated actions can be executed (e.g. test connectivity, ingestion) field, select the desired automation user.
- Click Save.
Configure environment variables for a Splunk SOAR (On-premises) asset
Environment variables configured in an asset take precedence over any global environment variables. Perform the following tasks to set environment variables for a asset:
- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click on Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
- Click + Variable to add a new environment variable.
- Enter the name and value of the variable.
- (Optional) Click Secret to encrypt the value so that it is not displayed in the web interface.
- (Optional) Click + Variable to add more variables as needed.
- Click Save.
See Configure proxies for a asset for information on how to set environment variables so that the asset can use a proxy.
Configure proxies for a Splunk SOAR (On-premises) asset
Perform the following steps to configure the environment variables needed for the app to communicate with a proxy:
- Navigate to the asset configuration page.
- Select the Asset Settings tab.
- Select Advanced to expand the section.
- Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- Select + Variable to add a new environment variable.
- Configure the HTTP_PROXY, HTTPS_PROXY, or NO_PROXY variables depending on the type of proxy connection.
- For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example:
<Protocol>://<Hostname/IP>:<Port>
- For NO_PROXY configurations, include the IP address, hostname, or domain of the asset.
- For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example:
- (Optional) Select Secret to encrypt the value so that it is not displayed in the web interface.
- Select Save.
The table shows an example of how to configure HTTP, HTTPS, and no proxy for a asset. For apps that use requests, configuring both HTTPS and HTTP environment variables directs all app traffic through the proxy server.
Proxy Name | Proxy Value |
---|---|
HTTP_PROXY | http://192.168.13.1:80 |
HTTPS_PROXY | https://192.168.13.100:8800 |
NO_PROXY | 127.0.0.1, localhost, localhost.localdomain |
When configuring the system to use an HTTP or HTTPS proxy, Splunk SOAR (On-premises) requires that you except calls to the loopback interface from the proxy list. You must set the environment variable '''NO_PROXY''' to include 127.0.0.1, localhost, and localhost.localdomain so that REST calls can be made on the loopback interface without being diverted to the proxy.
Configure ingest settings for a Splunk SOAR (On-premises) asset
Data ingestion settings are available for assets such as QRadar, Splunk, and IMAP. Perform the following steps to configure ingestion settings for a asset:
- Navigate to the Asset Configuration page.
- Click the Ingest Settings tab.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- In the Label to apply to objects from this source field, select a container label you want to apply to objects from this source. You can also type in a new label name.
- (Optional) Configure a polling interval for the asset to ingest data.
- Select Interval to configure the number of minutes between polls.
- Select Scheduled to view additional options and intervals.
- (Optional) Some assets have a Process Missed Jobs checkbox. Check this box if you want to process any missed jobs. Jobs can be missed in cases where is not running, or one poll didn't complete before the next one started.
- Click Save.
Configure approval settings for a Splunk SOAR (On-premises) asset
Assets created with no approvers run immediately. It is usually an acceptable company policy for an asset providing a whois lookup action. For assets such as firewalls, company policies usually restrict access to the ability to change firewall settings. Any actions performed on a firewall asset must go through the approval process.
Configure the approval settings for a asset to determine who must approve the actions taken against the asset. See Approve actions before they run in in the Use manual.
To configure approval settings for an asset, perform the following steps:
- Navigate to the asset configuration page.
- Click the Approval Settings tab.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- Select the users and roles you want to configure as primary approvers. Click the arrow keys to add or remove users and roles to the Primary Approvers field.
- Select the number of required primary approvers from the drop-down list in the Required primary approvers field.
- Select the users and roles you want to configure as secondary approvers. Click the arrow keys to add or remove users and roles to the Secondary Approvers field.
- Select the number of required secondary approvers from the drop-down list in the Required secondary approvers field.
- Click Save.
Configure Executive approvers for a asset
When all SLA escalations expire without being acted on Executive approvers receive an SLA breach notification. To configure Executive approvers, follow these steps:
- From the main menu select Administration then Response.
- On the Response page uncheck Automatic self-approval.
- Search for and select one or more Executive approvers from the list.
- Select Save Changes.
Configure the tenant assigned to a Splunk SOAR (On-premises) asset
Assign a tenant to an asset to separate data and make sure that the asset is only used with the container with the same tenant. You can only assign tenants to an asset if multi-tenancy is configured and enabled in . See Configure multiple tenants on your instance.
Perform the following steps to assign a tenant to a asset:
- Make sure multi-tenancy is enabled on your instance.
- Navigate to the asset configuration page.
- Click the Tenants tab.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- Select the desired tenants from the Available Tenants box and click the arrows to move them to the Mapped to Asset box.
- Non-ingestion assets that do not have a tenant assigned are available to all tenants. You can assign multiple tenants to a non-ingestion asset.
- Ingestion assets must have one tenant assigned. You can't assign multiple tenants. If no tenant is selected in the asset configuration, the default system tenant is assigned to the asset and any containers created by the asset.
- Click Save.
Manage warm standby features and options | Share data from |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2
Feedback submitted, thanks!