Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR
Adaptive response relay allows adaptive response actions to queue on a heavy forwarder before they sent to Splunk SOAR. For example, you can use adaptive response relay to schedule a time when resources are more available to send notable events from Splunk Enterprise Security (ES) or Splunk Cloud Platform to Splunk SOAR.
If you do not need to send events with a heavy forwarder, use adaptive response actions. See Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR.
How adaptive response relay sends notable events from Splunk ES to Splunk SOAR
The search head receives the Splunk SOAR information and playbooks from the heavy forwarder. The heavy forwarder receives the adaptive response actions form the search head.
To get started, perform the following tasks:
- On the search head where you already have Splunk ES and the Splunk App for SOAR Export installed
- Obtain and install the Lookup File Editor on Splunkbase.
- In the Lookup File Editor app, click on
cam_workers.csv
and verify that the worker set is hf1 and cam_workers is set to ["hf1"]. Change the value accordingly if they are not.
- Install a Splunk heavy forwarder. On the heavy forwarder:
- Install Splunk ES and the Splunk App for SOAR Export (this add-on).
- You can rename the heavy forwarder server. An example name is hf1.
Set up adaptive response relay on your Splunk instances
Configure the heavy forwarder and search head to be able to exchange data with each other.
- On the search head, go to
https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key
and record the API key. - On the search head, follow the instructions in Configure your Splunk Cloud Platform ES search head with an API key in the Administer Splunk Enterprise Security manual.
- On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarded with an API key in the Administer Splunk Enterprise Security manual.
- If you are using Splunk Enterprise, perform the following steps to set up forwarding from the heavy forwarder to Splunk Enterprise. If you are using Splunk Cloud Platform, follow the instructions in How to forward data to Splunk Cloud Platform in the Splunk Universal Forwarder Forwarder Manual to set up forwarding from the heavy forwarder to Splunk Cloud Platform.
- On the indexer, set up the receiving port:
- In Splunk Web, go to Settings > Forwarding and receiving.
- In the Receive data section, click + Add new.
- Enter 9997 in the Listen on this port field to set up port 9997 as the receiving port.
- Click Save.
- On the heavy forwarder, set up forwarding to the indexers:
- In Splunk Web, go to Settings > Forwarding and receiving.
- In the Configure forwarding section, click + Add new.
- In the Host field, enter the IP address and port number (9997) of the indexer. For example:
192.168.11.12:9997
- Click Save.
- On the indexer, set up the receiving port:
- On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarder with a modular action relay in the Administer Splunk Enterprise Security manual to set up a modular action relay.
- On the search head, follow the instructions in Configure your Splunk Cloud Platform ES search head with a modular action worker in the Administer Splunk Enterprise Security manual to set up the Lookup File Editor and add a
cam_worker
. - On the search head, add an action response configuration in the Splunk App for SOAR Export.
- Navigate to the Splunk App for SOAR Export.
- Click on the Configurations tab.
- Click and expand the Alert Action Configuration section.
- Click Add Alert Action Configuration to create a new configuration.
- Give the configuration a name, and specify the credentials to the heavy forwarder.
- Click Save.
Synchronize adaptive response relay data between the heavy forwarder and search head
Perform the following tasks so that data between the Splunk instances is synchronized.
- Perform the following tasks on the heavy forwarder:
- Navigate to the Splunk App for SOAR Export.
- Click the Configurations tab.
- In the ES - Adaptive Response Relay section, click Push Relay Data (on HF). This causes the heavy forwarder to read the
phantom.conf
file and obtain the server configs that are marked for adaptive response relay and playbook configurations and push this data to the search head. Any events containing the corresponding data are also pushed to the search head. See Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR for information about how to mark a server to be used for adaptive response relay.
- Perform the following tasks on the search head:
- Navigate to the Splunk App for SOAR Export.
- Click the Configurations tab.
- In the ES Adaptive Response - Relay section, click Poll Relay Data (on SH). This causes the search head to run the following search and obtain the server configurations and playbooks:
index=main source=*/var/log/splunk/phantom_ar_relay.log
Only the most recent 1,000 playbooks can be obtained using adaptive response relay.
Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR | Configure a Splunk asset in Splunk SOAR to pull data from the Splunk platform |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117
Feedback submitted, thanks!