Splunk® App for SOAR

Use Splunk App for SOAR

Audit logs from Splunk SOAR instances using Splunk App for SOAR

With Splunk App for SOAR, you can audit data pull audit logs from any number Splunk SOAR instances.

Follow these steps to use auditing in Splunk App for SOAR:

  1. Make sure the Splunk SOAR server with logs you want to audit is properly configured. During the configuration, when setting up the server, make sure you've entered the information for an automation Splunk SOAR user with an Observer role in the Authorization Configuration field. That user is able to set up modular inputs and fetch audit logs.
  2. Select the Configurations tab to go to the SOAR Server Configuration page.
  3. For the server you want to audit, select the Manage dropdown and then the Edit Audit Input option.
  4. Enter the name of the input name in the Audit Input Name field. The input name is the source.
  5. Specify the Start Date and Start Time.
  6. Choose an interval.
  7. Select the index from the Index dropdown.
  8. Select Save
Last modified on 27 June, 2022
Use the Container Insights dashboards   Make REST API calls to Splunk SOAR instances with Splunk App for SOAR

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67, 1.0.71


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters