Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR
Adaptive response relay allows adaptive response actions to queue on a heavy forwarder before they sent to Splunk Phantom or Splunk SOAR. For example, you can use adaptive response relay to schedule a time when resources are more available to send notable events from Splunk Enterprise Security (ES) or Splunk Cloud to Splunk Phantom or Splunk SOAR.
How adaptive response relay sends notable events from Splunk ES to Splunk Phantom or Splunk SOAR
The search head receives the Splunk Phantom server or Splunk SOAR information and playbooks from the heavy forwarder. The heavy forwarder receives the adaptive response actions form the search head.
To get started, perform the following tasks:
- On the search head where you already have Splunk ES and the Splunk Phantom App for Splunk installed
- Obtain and install the Lookup File Editor on Splunkbase.
- In the Lookup File Editor app, click on
cam_workers.csv
and verify that the worker set is hf1 and cam_workers is set to ["hf1"]. Change the value accordingly if they are not.
- Install a Splunk heavy forwarder. On the heavy forwarder:
- install Splunk ES and the Splunk Phantom App for Splunk (this add-on).
- Rename the heavy forwarder server to hf1.
Set up adaptive response relay on your Splunk instances
Configure the heavy forwarder and search head to be able to exchange data with each other.
- On the search head, go to
https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
and record the API key. - On the search head, follow the instructions in Configure your Splunk Cloud ES search head with an API key in the Administer Splunk Enterprise Security manual.
- On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarded with an API key in the Administer Splunk Enterprise Security manual.
- If you are using Splunk Enterprise, perform the following steps to set up forwarding from the heavy forwarder to Splunk Enterprise. If you are using Splunk Cloud Platform, follow the instructions in How to forward data to Splunk Cloud Platform in the Splunk Universal Forwarder Forwarder Manual to set up forwarding from the heavy forwarder to Splunk Cloud Platform.
- On the indexer, set up the receiving port:
- In Splunk Web, go to Settings > Forwarding and receiving.
- In the Receive data section, click + Add new.
- Enter 9997 in the Listen on this port field to set up port 9997 as the receiving port.
- Click Save.
- On the heavy forwarder, set up forwarding to the indexers:
- In Splunk Web, go to Settings > Forwarding and receiving.
- In the Configure forwarding section, click + Add new.
- In the Host field, enter the IP address and port number (9997) of the indexer. For example:
192.168.11.12:9997
- Click Save.
- On the indexer, set up the receiving port:
- On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarder with a modular action relay in the Administer Splunk Enterprise Security manual to set up a modular action relay.
- On the search head, follow the instructions in Configure your Splunk Cloud ES search head with a modular action worker in the Administer Splunk Enterprise Security manual to set up the Lookup File Editor and add a
cam_worker
. - On both the search head and heavy forwarder, add an action response configuration in the Splunk Phantom App for Splunk.
- Navigate to the Splunk Phantom App for Splunk.
- Click on the Configurations tab.
- Click and expand the Alert Action Configuration section.
- Click Add Alert Action Configuration to create a new configuration.
- Give the configuration a name, and specify the credentials to the heavy forwarder.
- Click Save.
Synchronize adaptive response relay data between the heavy forwarder and search head
Perform the following tasks so that data between the Splunk instances is synchronized.
- Perform the following tasks on the heavy forwarder:
- Navigate to the Splunk Phantom App for Splunk.
- Click the Configurations tab.
- In the ES - Adaptive Response Relay section, click Push Relay Data (on HF). This causes the heavy forwarder to read the
phantom.conf
file and obtain the server configs that are marked for adaptive response relay and playbook configurations and push this data to the search head. Any events containing the corresponding data are also pushed to the search head. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server for information about how to mark a server to be used for adaptive response relay.
- Perform the following tasks on the search head:
- Navigate to the Splunk Phantom App for Splunk.
- Click the Configurations tab.
- In the ES Adaptive Response - Relay section, click Poll Relay Data (on SH). This causes the search head to run the following search and obtain the server configurations and playbooks:
index=main source=*/var/log/splunk/phantom_ar_relay.log
Only the most recent 1,000 playbooks can be obtained using adaptive response relay.
Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR | Synchronize workbooks across multiple Splunk Phantom servers |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.3
Feedback submitted, thanks!