Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Verify that data can be pushed from the Splunk platform to Splunk SOAR

Perform the following steps to verify that data can be pushed from the Splunk platform to Splunk SOAR. In this example, we will send an event with the IP address 123.45.66.77 to a Splunk SOAR server named "Default Splunk SOAR":

  1. If you are not using Splunk Enterprise Security (ES), make sure you have installed the Splunk Common Information Model (CIM) app from Splunkbase.
  2. On your Splunk platform, go to the Search & Reporting app.
  3. Enter the following search:

    | makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk SOAR" param.sensitivity="amber" param.severity="low" param.label="events"

  4. Log in to your Splunk SOAR instance.
  5. From the Main Menu, select Sources and verify that there is an Ad hoc search result.
  6. Click on Ad hoc search result.
  7. Verify that the source IP, 123.45.66.77 in our example, exists as an artifact.

If you do not see the artifact, review the job log for any errors, and validate network connectivity over TCP port 443 from the Splunk search head to Splunk SOAR.

Last modified on 27 May, 2023
PREVIOUS
Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR 		  NEXT
Create and export data models and saved searches to send to Splunk SOAR

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135, 4.2.3, 4.3.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters