Pair Splunk Enterprise Security with Splunk SOAR
For automation functionality that lets users run actions, run playbooks, and review automation history in Splunk Enterprise Security, pair your Splunk Enterprise Security instance with your Splunk SOAR instance.
Licensing
Splunk SOAR automatically pulls a license from your pool of available Splunk SOAR licenses when a Splunk Enterprise Security user interacts with Splunk SOAR automation. Be sure that you have enough available Splunk SOAR licenses for Splunk Enterprise Security users in their associated Splunk SOAR role. For details on licensing, see View your Splunk SOAR (Cloud) license.
Prerequisites
Address these points before you begin pairing:
- To perform the pairing process, your role must have soar_admin capabilities. If you do not have these capabilities, contact your Splunk administrator.
- Obtain the host name for your Splunk Enterprise Security instance and have it nearby.
Contact your Splunk SOAR administrator for the following information:
- Obtain the following information about your Splunk SOAR instance and have it nearby:
- IP address
- Host name
- Login credentials (username and password)
- Verify that the Splunk Enterprise Security IP address is on the Splunk SOAR allow list.
Before you begin: Allow Splunk SOAR IP
Before you can pair, you must include the Splunk SOAR IP address in multiple sections of the Splunk Cloud Platform IP allow list.
Check to see if the Splunk SOAR IP address is already included in the Splunk Cloud Platform IP allow list in each of these sections:
- Search head API access
- IDM API
- Search head UI access
If needed, add the Splunk SOAR IP address to each of these sections. For details, see Configure IP allow lists for Splunk Cloud Platform in the Admin Config Service Manual.
Perform pairing
To pair Splunk Enterprise Security with Splunk SOAR, follow these steps:
- Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
- Select Start pairing.
- On the Pairing and testing page, enter the information for your Splunk SOAR administrative account that you obtained from the Splunk SOAR administrator.
The credentials you provide are used only during the pairing process. They are not stored here. Pairing is not affected by password changes or password rotation.
The following credentials are required:- host name
- username and password
- Review the displayed Splunk Enterprise Security host name.
- If the displayed host name is correct, move on to the next step.
- If your Splunk Enterprise Security host name is different, replace the displayed host name with the actual host name of your Splunk Enterprise Security deployment.
- Select Next to test the connection between Splunk Enterprise Security and Splunk SOAR.
- If the connection is successful: The next step, Role mapping, appears. Proceed to Step 5 in this section.
- If there is an issue: Read the message provided and address the issue. Then select Next to test the connection again.
Possible issues include: - Your Splunk SOAR version is not compatible with this version of Splunk Enterprise Security. Contact your Splunk SOAR administrator about upgrading your Splunk SOAR deployment.
- The credentials you entered are not correct. Contact your Splunk SOAR administrator to verify the Splunk SOAR credentials.
- The Splunk Enterprise Security IP address is not included in the Splunk SOAR allow list. Ask your Splunk SOAR administrator to contact Splunk Support to update the allow list.
- On the Role mapping page, map roles in Splunk platform to roles in Splunk SOAR. For example, you might want to map the Splunk platform role of ess_analyst to the Incident commander role in Splunk SOAR. Select an available Splunk platform role, then select one or more Splunk SOAR roles to map, giving the Splunk SOAR roles the capabilities from the Splunk platform roles. Select the plus button for each additional role you want to map.
You must map at least one Splunk Enterprise Security role to the Splunk SOAR Administrator role. For details on Splunk SOAR roles, see the Enterprise Security section of Manage roles and permissions in Splunk SOAR (Cloud) in the Administer Splunk SOAR (Cloud) documentation. - After you finish mapping roles, select Finish pairing.
- On the Pairing page, confirm that the message states that Splunk Enterprise Security is paired with Splunk SOAR. If needed, you can update the role mapping by selecting Edit in the corresponding section.
Verify pairing Splunk Enterprise Security with Splunk SOAR
to verify that Splunk Enterprise Security is paired with Splunk SOAR:
- Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
- On the Pairing page, confirm that:
- the top-most message states that Splunk Enterprise Security is paired with Splunk SOAR
- the Configuration details section includes a list of role mappings
- If either the successful pairing message or the role mappings are missing, consult Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR in Troubleshoot Splunk Enterprise Security.
Unpair Splunk Enterprise Security from Splunk SOAR
You might want to unpair Splunk Enterprise Security from Splunk SOAR if you are switching out or performing maintenance on your Splunk SOAR server.
Unpairing affects people who are using Splunk Enterprise Security; users will not be able to run actions, run playbooks, or to review automation history.
Unpairing does not delete existing playbooks in Splunk SOAR.
To unpair Splunk Enterprise Security from Splunk SOAR, follow these steps:
- Log into Splunk Enterprise Security. From the Configurations page, select Splunk SOAR, then Pairing.
- On the Pairing page, select Unpair. When prompted, select Unpair to confirm that you want to unpair.
Wait for the unpairing process to complete.
The Pairing page displays. There, you can review the pairing history or choose to pair again.
See also
- Refer your Splunk SOAR administrator to the Pair Splunk SOAR with Splunk Enterprise Security article in the Administer Splunk SOAR (Cloud) documentation.
- For more information on administering Splunk SOAR, see Administer Splunk SOAR (Cloud).
Configure per-panel filtering in Splunk Enterprise Security | Turn on debug logging in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!