After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Configure forwarders to send SOAR data to your Splunk deployment
In release 6.2.0, the embedded instance of Splunk Enterprise has been replaced with Universal Forwarders.
These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment.
After upgrading to Splunk SOAR (Cloud) release 6.2.0, you no longer require the user accounts phantomsearch
and phantomdelete
on your Splunk Enterprise or Splunk Cloud Platform deployment.
Configure data forwarding
This section applies if you are forwarding data from Splunk SOAR (Cloud) to Splunk Cloud Platform. If you are not using that specific combination, no action is required. You must complete these steps to ensure your Splunk SOAR (Cloud) data continues to be forwarded.
Configuration before your is upgraded
This section applies if you are forwarding data from to either an external instance of Splunk Enterprise or Splunk Cloud Platform.
- In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation. - In Splunk Cloud Platform, select Apps, then Universal Forwarder.
- Select Download Universal Forwarder Credentials.
- Conditional: If your Splunk Cloud Platform deployment is in a restricted access category, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
- In , upload the credentials package from Step 1.
- From the Home menu, select Administration, then Administration Settings. Then select Search Settings.
- Confirm that Distributed Splunk Enterprise Deployment is selected. Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
After you have uploaded and saved the Universal Forwarder Credentials Package, your connection to your Splunk Cloud Platform deployment will migrate correctly when your deployment is upgraded to release 6.2.0.
Optional, post-upgrade steps: Adding new data types
After you perform the steps in the previous section, all of your previously configured data types are automatically selected. Your forwarding will work as it did in previous releases.
If you choose, you can add one or more of three additional forwarding data types that are added in 6.2.0.
- Audit logs: Records of all activities in .
- Playbook run: Playbook performance metrics, including resource scoring data.
- SOAR logs: Information about , based on app logs.
If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run
index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.
To add one or more of these new forwarding data types, follow these steps AFTER your stack is upgraded to version 6.2.0:
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Locate the forwarder group to update and select the edit button.
- Select the Data types you want to ingest into Splunk Cloud Platform, then select Save.
Configuration after your is upgraded
To configure data forwarding after your is upgraded, follow these steps:
If you choose to forward the Playbook run data type in step 2 of this process, you must first create the phantom_playbook_run
index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.
- In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation. - In Splunk Cloud Platform, select Apps, then Universal Forwarder.
- Select Download Universal Forwarder Credentials.
- In , upload the credentials package from Step 1.
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Select +Install Credentials Package.
- Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
- Select the Data types you want to ingest into Splunk Cloud Platform.
There are three additional forwarding data types that are added in Splunk SOAR 6.2.0: - Audit logs: Records of all activities in Splunk SOAR.
- Playbook run: Playbook performance metrics, including resource scoring data.
- SOAR logs: Information about Splunk SOAR, based on app logs
- Select Save.
After you complete these steps, data will begin to stream from to Splunk Cloud Platform.
Configure forwarding to a Splunk Enterprise deployment
If your organization forwards data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Select +New Group.
- In the Add a new forwarder group dialog do the following:
- In the Name field, type a name for your forwarder group (do not use the name
splunk
). This name is displayed on the Forwarder Settings page. - Conditional: If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field.
- In the Indexers field, add the address for your indexer.Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
- Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
- In the Name field, type a name for your forwarder group (do not use the name
- Make sure the Enabled slider button is in the on position.
- Click Save.
After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment.
Configure transport layer security between your Splunk SOAR (Cloud) universal forwarder and the receiving indexer
You can now use transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers.
To add a TLS certificate, you will need a valid TLS certificate in your certificate bundle.
To use a certificate bundle it must include;
- the client certificate
- the matching private key
- the CA certificate that was used to sign the client certificate
- (Conditional) If the private key in your certificate bundle is encrypted, you will need the client certificate password.
For more information on preparing your TLS certificates for use with the Splunk platform, see How to prepare TLS certificates for use with the Splunk platform in Securing Splunk Enterprise.
To add a TLS certificate for your Universal Forwarder, or to edit the TLS configuration, do the following steps:
- From the Home menu, select Administration, Administration Settings, Forwarder Settings.
- On the Forwarder Settings page, click the edit icon on the right-hand end of the forwarder group's entry.
- Click the Certificate configuration tab.
- Add your client certificate bundle either by dragging and dropping it onto the box provided, or by clicking the box and navigating to the bundle on your filesystem.
- (Conditional) If your Client certificate bundle includes an encrypted private key, type your client certificate password in the Client certificate password box.
- Add your TLS certificate by dragging and dropping the certificate onto the box provided, or by clicking the box and navigating to the certificate on your filesystem.
- (Optional) Select options as needed:
- Verify server certificate
- Verify server name
- Use client SSL compression
- (Optional) If you use common names or Subject Alt names for your servers, add them as comma-separated lists to the Allowed common names or Allowed Subject Alt names fields.
- Click Save.
Reindexing
You can reindex all of your data.
Reindexing will send all your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which can result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
To reindex your data, do these steps:
- From the Home menu, select Administration, Administration Settings, Forwarder Settings.
- From the Forwarder Settings screen, select the Reindex tab.
- Use the dropdown menu to select the data type you would like to reindex.
- (Optional) Set a start time from which to reindex data.
- Click Reindex.
Data types and corresponding indexes
This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.
Splunk SOAR Data type | Index in Splunk Enterprise/Splunk Cloud Platform |
---|---|
Action run | phantom_action_run |
App | phantom_app |
App run | phantom_app_run |
Artifact | phantom_artifact |
Asset | phantom_asset |
Audit log | _audit |
Container | phantom_container |
Container attachment | phantom_container_attachment |
Container comment | phantom_container_comment |
Custom function | phantom_custom_function |
Custom list | phantom_decided_list |
Note | phantom_note |
Playbook | phantom_playbook |
Playbook run | phantom_playbook_run You must create this index before forwarding data. |
SOAR logs | splunk_app_soar |
Splunk addon for Linux logs | os |
See Also
For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.
- What data can I index? in the Splunk Enterprise Getting Data In manual.
- Use forwarders to get data into Splunk Cloud Platform in the Splunk Enterprise Getting Data In manual.
- Use forwarders to get data into Splunk Enterprise in the Splunk Enterprise Getting Data In manual.
- Set up the universal forwarder using Splunk SOAR version 6.2.0 and later in the Install and Configure Splunk App for SOAR manual.
- How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.
PREVIOUS Configure search in |
NEXT Configure Google Maps for visual geolocation data |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!