Splunk® App for SOAR

Install and Configure Splunk App for SOAR

Connect Splunk App for SOAR to Splunk SOAR

Splunk App for SOAR allows you to use several services to interact with your Splunk SOAR environments. Many of those services require that you connect Splunk App for SOAR to those environments.

When using Splunk Cloud Platform to communicate with Splunk SOAR (On-premises), you must configure the outbound port (8443) in Splunk Cloud Platform. For details, see Configure outbound ports for Splunk Cloud Platform in the Splunk Cloud Platform ''Admin Config Service Manual''.

If you are using Splunk SOAR (Cloud) and you have not yet installed either Splunk App for SOAR or Splunk App for SOAR Export, contact Splunk Support to configure the required ports.

To connect, follow these instructions:

  1. Before you begin, make sure you have added the required roles to the admin user. Follow the steps at Enable Splunk platform users to use the Splunk Phantom App for Splunk, but replace each instance of phantom with splunk_app_soar.
  2. If you have configured certificates for Splunk SOAR and Splunk Enterprise, continue with the next step.
    If you have not configured certificates for Splunk SOAR and Splunk Enterprise, you must disable HTTP validation on Splunk Enterprise. Perform the following steps:
    1. Run the following command and provide the proper username, password, and splunkaddress:
      curl -ku '<username>:<password>' https://<splunk address>:<port number>/servicesNS/nobody/splunk_app_soar/configs/conf-soar/verify_certs\?output_mode\=json -d value=0
    2. Return to the SOAR Server Configuration page and verify that the HTTPS certificate verification is disabled message appears with a warning icon.
  3. Navigate to Splunk App for SOAR installed on your Splunk platform instance.
  4. Select the Configurations tab.
  5. Select Create Server.
  6. To add a new server, use an authorization token from Splunk SOAR. To get an authorization token, follow these steps:
    1. Navigate to your Splunk SOAR instance.
    2. From the main menu, select Administration.
    3. Select User Management > Users.
    4. You can either use the default automation user and change the allowed IP addresses, or create a new automation user. In either case, the automation user must have the observer role. In this example we will create a new automation user. Select + User to create a new automation user.
    5. Update the Allowed IPs field to reflect the IP address or IP range for the Splunk platform instance.

      Do not use any unless you are troubleshooting or testing.

    6. Select Create to create the user.
    7. On the Users page, select the ellipsis (...) icon for the new automation user and select Edit.
    8. Copy the text in the Authorization Configuration for REST API box.
    9. Select Save.
  7. Navigate back to Splunk App for SOAR platform instance and paste the authorization token in the Authorization Configuration box. Verify that the format of the object looks like the following example:
    {
      "ph-auth-token": "*********",
      "server": "https://10.1.65.229"
    }
    
  8. Enter an optional name for the server. This will show up later in Splunk SOAR as your container name, so pick a name you can easily identify.
  9. (Optional) Configure a Proxy server. For example:
    • An example HTTP proxy in the format http://[<username>[:password]@]<host>[:<port>]. For example:
      http://172.31.225.254:8080
    • An example HTTPS proxy in the format https://[<username>[:password]@]<host>[:<port>]. For example:
      https://username:password@proxy.host.com:8080
  10. Select Save and Add Input or Save and Close. A page shows your new server. If you have multiple servers, they are listed on this page.
  11. To test your server, select Manage, then Test Connectivity. A success message appears if the server is working correctly.
Last modified on 18 October, 2023
Prepare to configure services for   Configure the service with Splunk App for SOAR

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters