After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Configure forwarders to send SOAR data to your Splunk deployment
Universal forwarders replaced the embedded instance of Splunk Enterprise in release 6.2.0. These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment.
Configure data forwarding
Before you can forward data from your Splunk SOAR (Cloud) deployment to a Splunk Cloud Platform or Splunk Enterprise deployment, you must configure Splunk SOAR (Cloud) for forwarding.
This section applies if you are forwarding data from to either an external instance of Splunk Enterprise or Splunk Cloud Platform.
- In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation. - In Splunk Cloud Platform, select Apps, then Universal Forwarder.
- Select Download Universal Forwarder Credentials.
- (Conditional) If your Splunk Cloud Platform deployment is in a restricted access category such as HIPPA, DCI/PCS, or FedRAMP Moderate, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
- In , upload the credentials package from Step 1.
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Select the +Install Credentials Package button.
- Drag and drop, or select the link to navigate to your credentials package.
- Set a name for your forwarder group.
- Select the data types you want forwarded to your Splunk Cloud Platform or Splunk Enterprise deployment.
- Select the Save button.
You will need to make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for the Splunk SOAR (Cloud) action daemon.
If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run
index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.
Update a Universal Forwarder Credentials Package
You may need to update the credentials package associated with your forwarder group. For example, the certificates in the package may need to be refreshed due to an approaching expiration date.
First, obtain an updated Universal Forwarder Credentials Package.
- In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation. - In Splunk Cloud Platform, select Apps, then Universal Forwarder.
- Select Download Universal Forwarder Credentials.
You can only use a Universal Forwarder Credentials Package that matches the existing stack for your forwarder group.
Once you have obtained an updated Universal Forwarder Credentials Package, apply it to your forwarder group.
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Locate the forwarder group whose credential package you want to update.
- Select the edit icon at the right-hand edge of the table entry for the forwarder group.
- Select the Update Credentials Package button.
- Drag and drop, or click the large box to select and upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
- Select Save.
Configure forwarding to a Splunk Enterprise deployment
If your organization forwards data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:
- From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
- Select +New Group.
- In the Add a new forwarder group dialog do the following:
- In the Name field, type a name for your forwarder group (do not use the name
splunk
). This name is displayed on the Forwarder Settings page. - (Conditional) If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field.
- In the Indexers field, add the address for your indexer. Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
- Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
- In the Name field, type a name for your forwarder group (do not use the name
- Make sure the Enabled slider button is in the on position.
- Select Save.
After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment.
Configure transport layer security between your Splunk SOAR (Cloud) universal forwarder and the receiving indexer
You can now use transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers.
To add a TLS certificate, you will need a valid TLS certificate in your certificate bundle.
To use a certificate bundle it must include;
- the client certificate
- the matching private key
- the CA certificate that was used to sign the client certificate
- (Conditional) If the private key in your certificate bundle is encrypted, you will need the client certificate password.
For more information on preparing your TLS certificates for use with the Splunk platform, see How to prepare TLS certificates for use with the Splunk platform in Securing Splunk Enterprise.
To add a TLS certificate for your Universal Forwarder, or to edit the TLS configuration, do the following steps:
- From the Home menu, select Administration, Administration Settings, Forwarder Settings.
- On the Forwarder Settings page, click the edit icon on the right-hand end of the forwarder group's entry.
- Click the Certificate configuration tab.
- Add your client certificate bundle either by dragging and dropping it onto the box provided, or by clicking the box and navigating to the bundle on your filesystem.
- (Conditional) If your Client certificate bundle includes an encrypted private key, type your client certificate password in the Client certificate password box.
- Add your TLS certificate by dragging and dropping the certificate onto the box provided, or by clicking the box and navigating to the certificate on your filesystem.
- (Optional) Select options as needed:
- Verify server certificate
- Verify server name
- Use client SSL compression
- (Optional) If you use common names or Subject Alt names for your servers, add them as comma-separated lists to the Allowed common names or Allowed Subject Alt names fields.
- Click Save.
Reindexing
You can reindex all of your data.
Reindexing will send all your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which can result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
To reindex your data, do these steps:
- From the Home menu, select Administration, Administration Settings, Forwarder Settings.
- From the Forwarder Settings screen, select the Reindex tab.
- Use the dropdown menu to select the data type you would like to reindex.
- (Optional) Set a start time from which to reindex data.
- (Optional) Set an end time, after which data should not be reindexed.
- Click Reindex.
Data types and corresponding indexes
This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.
Splunk SOAR Data type | Index in Splunk Enterprise/Splunk Cloud Platform |
---|---|
Action run | phantom_action_run |
App | phantom_app |
App run | phantom_app_run |
Artifact | phantom_artifact |
Asset | phantom_asset |
Audit log | _audit |
Container | phantom_container |
Container attachment | phantom_container_attachment |
Container comment | phantom_container_comment |
Custom function | phantom_custom_function |
Custom list | phantom_decided_list |
Note | phantom_note |
Playbook | phantom_playbook |
Playbook run | phantom_playbook_run You must create this index before forwarding data. |
SOAR logs | splunk_app_soar |
Splunk addon for Linux logs | os |
Configure forwarding a data type to a specific Splunk index
Do the following steps to change or customize the target Splunk Cloud Platform or Splunk Enterprise index for a data type.
- From the Home menu, select Administration, then select Administration Settings, then Forwarder Settings.
- From the Forwarder Settings page, click the Settings button.
- Type the Splunk Cloud Platform or Splunk Enterprise index in the input box next to the data type you want to customize.
- When your customizations are complete, click the Submit button.
You must make sure the target index exists in your Splunk Cloud Platform or Splunk Enterprise deployment before you change the setting in Splunk SOAR (Cloud).
See Also
For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.
- What data can I index? in the Splunk Enterprise Getting Data In manual.
- Use forwarders to get data into Splunk Cloud Platform in the Splunk Enterprise Getting Data In manual.
- Use forwarders to get data into Splunk Enterprise in the Splunk Enterprise Getting Data In manual.
- Set up the universal forwarder using Splunk SOAR version 6.2.0 and later in the Install and Configure Splunk App for SOAR manual.
- How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.
Configure search in | Customize your forwarder configuration |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Feedback submitted, thanks!