Download topic as PDF
SOAR Integrations with REST API v1.3
You can build a custom integration between Splunk Intelligence Management and a SOAR tool that exchanges data between the two platforms. This can provide enriched data that the SOAR tool can use in automating responses to security threats. The integration can also support the sharing of that enriched data with multiple teams in an organization as well as with external teams. See Configuration requirements to learn about the configuration details required for all integrations.
Recommended Commands
Include these commands in your SOAR integration:
- Submit Observables to Splunk Intelligence Management
- Enrich Observables in a Report using Get Indicator Summaries or Get Indicator Metadata. You can also filter observables using these commands.
- Submit a report
- Search for Indicators
Optional Commands
You can use these commands to add functionality:
- Add Indicators to Company Safelist
- Copy a report to another enclave. As part of sharing a report, you can choose to redact terms in the report using the Company Safelist stored in Splunk Intelligence Management.
- Move a report to another Enclave. As part of sharing a report, you can choose to redact terms in the report using the Company Safelist stored in Splunk Intelligence Management.
You can include two additional commands that support the triage of Phishing emails:
You must have the Phishing Triage feature activated in Splunk Intelligence Management to use these commands.
|
PREVIOUS Detection Integrations with REST API v1.3 |
NEXT Build an observable-query intelligence source integration |
This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current
Feedback submitted, thanks!