Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Configure forwarders to send SOAR data to your Splunk deployment

Universal forwarders replaced the embedded instance of Splunk Enterprise in release 6.2.0. These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment.

Splunk SOAR (Cloud) includes the compatible, supported universal forwarder version. Do not upgrade to another universal forwarder version between Splunk SOAR releases.

After upgrading to Splunk SOAR (Cloud) release 6.2.0, you no longer require the user accounts phantomsearch and phantomdelete on your Splunk Enterprise or Splunk Cloud Platform deployment.

Configure data forwarding

This section applies if you are forwarding data from Splunk SOAR (Cloud) to Splunk Cloud Platform. If you are not using that specific combination, no action is required. You must complete these steps to ensure your Splunk SOAR (Cloud) data continues to be forwarded.

Configuration before your is upgraded

This section applies if you are forwarding data from to either an external instance of Splunk Enterprise or Splunk Cloud Platform.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. Conditional: If your Splunk Cloud Platform deployment is in a restricted access category, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
  3. In , upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Search Settings.
    2. Confirm that Distributed Splunk Enterprise Deployment is selected. Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.

After you have uploaded and saved the Universal Forwarder Credentials Package, your connection to your Splunk Cloud Platform deployment will migrate correctly when your deployment is upgraded to release 6.2.0.

Optional, post-upgrade steps: Adding new data types

After you perform the steps in the previous section, all of your previously configured data types are automatically selected. Your forwarding will work as it did in previous releases.

If you choose, you can add one or more of three additional forwarding data types that are added in 6.2.0.

  • Audit logs: Records of all activities in .
  • Playbook run: Playbook performance metrics, including resource scoring data.
  • SOAR logs: Information about , based on app logs.

You will need to make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for the Splunk SOAR (Cloud) action daemon.

If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

To add one or more of these new forwarding data types, follow these steps AFTER your stack is upgraded to version 6.2.0:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Locate the forwarder group to update and select the edit button.
  3. Select the Data types you want to ingest into Splunk Cloud Platform, then select Save.

Configuration after your is upgraded

To configure data forwarding after your is upgraded, follow these steps:

You will need to make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for the Splunk SOAR (Cloud) action daemon.

If you choose to forward the Playbook run data type in step 2 of this process, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. In , upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
    2. Select +Install Credentials Package.
    3. Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
    4. Select the Data types you want to ingest into Splunk Cloud Platform.
      There are three additional forwarding data types that are available:
      • Audit logs: Records of all activities in Splunk SOAR.
      • Playbook run: Playbook performance metrics, including resource scoring data.
      • SOAR logs: Information about Splunk SOAR, based on app logs
    5. Select Save.

After you complete these steps, data will begin to stream from to Splunk Cloud Platform.

Update a Universal Forwarder Credentials Package

You may need to update the credentials package associated with your forwarder group. For example, the certificates in the package may need to be refreshed due to an approaching expiration date.

First, obtain an updated Universal Forwarder Credentials Package.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
  2. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
  3. Click Download Universal Forwarder Credentials.

You can only use a Universal Forwarder Credentials Package that matches the existing stack for your forwarder group.

Once you have obtained an updated Universal Forwarder Credentials Package, apply it to your forwarder group.

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Locate the forwarder group whose credential package you want to update.
  3. Click the edit icon at the right-hand edge of the table entry for the forwarder group.
  4. Click the Update Credentials Package button.
  5. Drag and drop, or click the large box to select and upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
  6. Click Save.

Configure forwarding to a Splunk Enterprise deployment

If your organization forwards data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Select +New Group.
  3. In the Add a new forwarder group dialog do the following:
    1. In the Name field, type a name for your forwarder group (do not use the name splunk). This name is displayed on the Forwarder Settings page.
    2. Conditional: If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field.
    3. In the Indexers field, add the address for your indexer.Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
    4. Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
  4. Make sure the Enabled slider button is in the on position.
  5. Click Save.

After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment.

Configure transport layer security between your Splunk SOAR (Cloud) universal forwarder and the receiving indexer

You can now use transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers.

To add a TLS certificate, you will need a valid TLS certificate in your certificate bundle.

To use a certificate bundle it must include;

  • the client certificate
  • the matching private key
  • the CA certificate that was used to sign the client certificate
  • (Conditional) If the private key in your certificate bundle is encrypted, you will need the client certificate password.

For more information on preparing your TLS certificates for use with the Splunk platform, see How to prepare TLS certificates for use with the Splunk platform in Securing Splunk Enterprise.

To add a TLS certificate for your Universal Forwarder, or to edit the TLS configuration, do the following steps:

  1. From the Home menu, select Administration, Administration Settings, Forwarder Settings.
  2. On the Forwarder Settings page, click the edit icon on the right-hand end of the forwarder group's entry.
  3. Click the Certificate configuration tab.
  4. Add your client certificate bundle either by dragging and dropping it onto the box provided, or by clicking the box and navigating to the bundle on your filesystem.
    1. (Conditional) If your Client certificate bundle includes an encrypted private key, type your client certificate password in the Client certificate password box.
  5. Add your TLS certificate by dragging and dropping the certificate onto the box provided, or by clicking the box and navigating to the certificate on your filesystem.
  6. (Optional) Select options as needed:
    1. Verify server certificate
    2. Verify server name
    3. Use client SSL compression
  7. (Optional) If you use common names or Subject Alt names for your servers, add them as comma-separated lists to the Allowed common names or Allowed Subject Alt names fields.
  8. Click Save.

Reindexing

You can reindex all of your data.

Reindexing will send all your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which can result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

To reindex your data, do these steps:

  1. From the Home menu, select Administration, Administration Settings, Forwarder Settings.
  2. From the Forwarder Settings screen, select the Reindex tab.
  3. Use the dropdown menu to select the data type you would like to reindex.
  4. (Optional) Set a start time from which to reindex data.
  5. (Optional) Set an end time, after which data should not be reindexed.
  6. Click Reindex.

Data types and corresponding indexes

This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.

Splunk SOAR Data type Index in Splunk Enterprise/Splunk Cloud Platform
Action run phantom_action_run
App phantom_app
App run phantom_app_run
Artifact phantom_artifact
Asset phantom_asset
Audit log _audit
Container phantom_container
Container attachment phantom_container_attachment
Container comment phantom_container_comment
Custom function phantom_custom_function
Custom list phantom_decided_list
Note phantom_note
Playbook phantom_playbook
Playbook run phantom_playbook_run
You must create this index before forwarding data.
SOAR logs splunk_app_soar
Splunk addon for Linux logs os

See Also

For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.

Last modified on 03 June, 2024
Configure search in   Configure Google Maps for visual geolocation data

This documentation applies to the following versions of Splunk® SOAR (Cloud): current, current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters