Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise
Verify that your environment is ready to use the Splunk App for SOAR Export to integrate Splunk SOAR with your Splunk Enterprise deployment.
Required user privileges and ports
Verify the following user privileges and ports:
- The Splunk App for SOAR Export requires that a user with administrative privileges installs both Splunk App for SOAR Export and Splunk software. In situations where events can't be sent from the Splunk platform to Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. Splunk App for SOAR Export automatically runs the
phantom_retry.py
script every 60 seconds to try to send any events that could not be sent earlier. - By default, Splunk SOAR must have TCP ports 443 and 8089 open to and from Splunk Enterprise Security (ES) search heads.
If you are using other TCP ports to connect to Splunk Enterprise Security search heads, substitute those ports. Be consistent with the substituted TCP port numbers. - In your on-premises deployment, verify that you have the necessary network availability among all devices.
Splunk product compatibility requirements
Use this matrix to determine the compatibility of the Splunk App for SOAR Export with certain versions of Splunk Cloud Platform or Enterprise and Splunk SOAR (Cloud) or Splunk SOAR (On-premises). You can use all versions that appear in a single row interchangeably. Splunk Enterprise Security is not required for Splunk App for SOAR Export.
Notations like Splunk Enterprise Security versions 6.5.1, 6.5.x mean that Splunk Enterprise Security version 6.5.1 or any 6.5.x release later than 6.5.1 is required.
Splunk App for SOAR Export version | Splunk Enterprise version | Splunk Cloud Platform version | Splunk Enterprise Security version | Splunk SOAR (On-premises) version | Splunk SOAR (Cloud) Version |
---|---|---|---|---|---|
4.1.135 (CIM version 5.0.1) |
9.1.0 | 9.0.2303 | 7.1.1 | 6.0.1 | 6.0.1 |
9.0.4, 9.0.3, 9.0.2, 9.0.1 | 9.0.2303 | 7.1.0, 7.0.2 | 6.0.0 | 6.0.0 | |
9.0.0 | 9.0.2209 | 7.0.1 | 6.0.0, 5.5.0, 5.4.0, 5.3.5, 5.3.4 | 6.0.0, 5.5.0, 5.4.0, 5.3.5, 5.3.4 | |
9.0.2208 | 7.0.1 | 5.3.5, 5.3.4 | 5.3.5, 5.3.4 | ||
8.2.8 | 9.0.2205, 9.0.2203, 9.0.2202 | 7.0.1 | 5.3.4 | 5.3.4 | |
4.1.117 (CIM version 4.18.0) |
9.0.2205 | 7.0.1 | 5.3.2-5.3.4 | 5.3.2-5.3.4 | |
8.2.2203 | 7.0.1 | 5.3.0-5.3.2 | 5.3.0-5.3.2 | ||
8.2.2202, 8.2.2201, 8.2.2112 | 7.0.0 | 5.3.0, 5.2.1 | 5.3.0, 5.2.1 | ||
9.0.0 | 7.0.1 | 5.3.0- 5.3.4 | 5.3.0- 5.3.4 | ||
8.2.4 | 7.0.1, 7.0.0 | 5.3.1, 5.3.0, 5.2.1 | 5.3.0, 5.2.1 | ||
4.1.73 (CIM version 4.18.0) |
8.2.2201 | 7.0.0 | 5.2.0 | 5.2.0 | |
8.2.2112 | 6.6.2 | 5.1.1 | 5.1.1 | ||
8.2.211 | 6.6.2 | 5.1.0 | 5.1.0 | ||
8.2.2109 | 6.6.1 | 5.1.0, 5.0.1 | 5.1.0, 5.0.0 | ||
8.2 | 8.2.2107, 8.2.2106, 8.2.2105 | 6.6.1 | 5.0.1 | 5.0.0 | |
4.1.3 (CIM version 4.18.0) |
8.2 | 8.2.2107, 8.2.2106, 8.2.2105, 8.2.2104.1 | 6.6.0, 6.6.x | 4.10.4, 4.10.x | 4.12.0.56045, 4.12.x |
8.1 | 8.1.2103 | 6.6.0, 6.6.x | 4.10.4, 4.10.x | 4.12.0.56045, 4.12.x | |
4.0.35 (CIM version 4.18.0) |
8.2, 8.2.x | 8.2.2104.1, 8.2.2103, 8.2.2011, 8.1.2009, 8.0, 7.3 | 6.5.0, 6.5.x | 4.10.1.45070, 4.10.x | N/A |
8.1, 8.1.x | 8.1.2101, 8.1.2012, 8.1.2009 | 6.2.0, 6.2.x | 4.10.0.40025, 4.10.x | N/A | |
8.1, 8.1.x | 8.1.2101, 8.1.2012, 8.1.2009 | 6.4.1, 6.4.x | 4.10.0.40025, 4.10.x | N/A | |
8.0 | 8.0 | 6.1.1, 6.1.x | 4.10.0.40025, 4.10.x | N/A | |
8.0 | 8.0 | 6.4.1, 6.4.x | 4.10.0.40025, 4.10.x | N/A | |
7.3 | 7.3 | 5.3.1, 5.3.x | 4.10.0.40025, 4.10.x | N/A | |
4.0.10 (CIM version 4.18.0) |
8.0.3 | 8.0.3 | 6.1.1, 6.1.x, 6.2.0, 6.2.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A |
7.3.5 | 7.3.5 | 5.3.1, 5.3.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A | |
7.2.10.2 | 7.2.10.2 | 5.3.1, 5.3.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A | |
3.0.5 (CIM version 4.8.0) |
8.0 | N/A | 6.0.0, 6.0.x | 4.6.19142, 4.6.x | N/A |
7.3.3 | N/A | 5.3.1, 5.3.x | 4.6.19142, 4.6.x | N/A |
Required apps
Make sure you have the following apps installed on your Splunk Enterprise deployment:
App | Description |
---|---|
Splunk App for SOAR Export (this app) | Download the Splunk App for SOAR Export from Splunkbase. This app is required to map event fields to CEF format, then forward those events to Splunk SOAR. |
Common Information Model | Download the Splunk Common Information Model (CIM) from Splunkbase. If you have Splunk Enterprise Security (ES) installed, you don't need to download this library as it is already included with Splunk ES.
|
Splunk App for SOAR Export release notes | Install the Splunk App for SOAR Export on Splunk Enterprise |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135
Feedback submitted, thanks!