Splunk SOAR apps overview
Splunk SOAR apps provide a mechanism to extend by adding connectivity to third party security technologies in order to run actions. Given the broad set of technologies that can be orchestrated during a cyber response exercise, apps provide some relief in allowing users and partners to add their own custom functionality.
Splunk SOAR apps are developed by engineers knowledgeable in Python and modern web technologies.
Splunk SOAR apps should be developed and tested using an on-premises deployment of Splunk Phantom. Users who do not have an on-premises deployment of Splunk Phantom can download and install the free Community edition. See https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html.
To develop a Splunk SOAR app, start with the app wizard:
- From the main menu, select Apps.
- Click App Wizard.
Splunk SOAR app architecture
Splunk SOAR apps are written in Python to create a bridge between and other security device/applications. Think of them as having two strict edges:
- One of the edges is given an action to be carried out on behalf of .
- An app on the opposite edge converts the action into specific commands to communicate with its device or service.
The result of these actions are read by the app and passed back to . This simple design helps facilitate automated actions that are carried out by on behalf of the user.
The first edge is implemented by a rich set of Python APIs that the platform exposes to the app developer through a base class.
Apps distributed by Splunk SOAR or third parties are transmitted as
.gzip archives that you can import into Splunk SOAR.
Splunk SOAR app components
A Splunk SOAR app consists of a number of components.
||Required to initialize and define a Python package. You can use an empty file.|
||JSON metadata that describes the app and functionality that the app provides|
||The App Main Connector Module (Python script) that implements the actions that are provided by the app. This module is a class that is derived from the BaseConnector class.|
||Optional widget view. This is a view, in the context of standard MVC framework. Splunk SOAR is built on Django, an open source Python-based MVC framework. Splunk SOAR will load views that you have specified within your JSON meta-data file dynamically. Full documentation on views and templates is available on the Django documentation website.|
||Optional widget template. The template defines how the information within the view is to be rendered and displayed. The full complement of Django tags are available within a template.|
This image shows how the various components interact with each other.
Connector module development
This documentation applies to the following versions of Splunk® SOAR (Cloud): current