Audit logs from Splunk SOAR instances using Splunk App for SOAR
With Splunk App for SOAR, you can audit data pull audit logs from any number Splunk SOAR instances.
Follow these steps to use auditing in Splunk App for SOAR:
- Make sure the Splunk SOAR server with logs you want to audit is properly configured. During the configuration, when setting up the server, make sure you've entered the information for an automation Splunk SOAR user with an Observer role in the Authorization Configuration field. That user is able to set up modular inputs and fetch audit logs.
- Select the Configurations tab to go to the SOAR Server Configuration page.
- For the server you want to audit, select the Manage dropdown and then the Edit Audit Input option.
- Enter the name of the input name in the Audit Input Name field. The input name is the source.
- Specify the Start Date and Start Time.
- Choose an interval.
- Select the index from the Index dropdown.
- Select Save
Use the Container Insights dashboards | Make REST API calls to Splunk SOAR instances with Splunk App for SOAR |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67
Feedback submitted, thanks!