Splunk® App for SOAR

Install and Configure Splunk App for SOAR

Configure auditing using Splunk App for SOAR

The auditing service in Splunk App for SOAR allows you to pull audit logs from any number of Splunk SOAR environments. To configure the auditing service, you must ensure Splunk App for SOAR connects a Splunk SOAR environment to your Splunk Cloud Platform or Enterprise environment:

  1. Connect Splunk App for SOAR to Splunk SOAR.
  2. Add an audit input. Select Manage > Edit Audit Input.
    1. Enter the Audit Input Name.
    2. Specify the Start Date and Start Time for the audit.
    3. Set the Interval, in seconds. Recommended interval time is 1800 seconds (30 minutes).
    4. Choose an Index from the dropdown menu.
    5. Select Save.
  3. Turn on the Audit Input Status toggle. If you turn off the toggle, auditing stops.

To use auditing, you must ensure your Automation user has the Observer role in Splunk SOAR. For more information about how to manage roles in Splunk SOAR see Manage roles and permissions in Splunk SOAR in the Administer Splunk SOAR manual.

Last modified on 06 March, 2024
Configure SOAR system logs using Splunk App for SOAR   Configure REST API commands using Splunk App for SOAR

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.41, 1.0.57, 1.0.67

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters