Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR

You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk SOAR. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.

To send notable events with a heavy forwarder, use adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.

Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk SOAR:

  1. In Splunk Web, navigate to the Splunk Enterprise Security app.
  2. Click the Incident Review tab.
  3. From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
  4. Click the drop-down arrow in the Actions column for a notable event.
  5. Click Run Adaptive Response Actions.
  6. In the Adaptive Response Actions dialog, click Add New Response Actions.
  7. Select the desired response action:
    • Click Send to SOAR to send an artifact to Splunk SOAR.
    • Click Run Playbook in SOAR to send an artifact to Splunk SOAR while running a playbook.
  8. In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
    Field Required? Description
    SOAR Instance Required
    • If you are running a Send to SOAR adaptive response action, select the Splunk SOAR instance you are connecting to.
    • If you are running a Run Playbook in SOAR adaptive response action, select the Splunk SOAR instance you are connecting to and playbook you want to run.
    Sensitivity Required Sensitivity level for the forwarded event.
    Severity Required Severity level for the forwarded event.
    Label Optional Label for the forwarded event. Your label must match a label that exists in Splunk SOAR, such as the default label events or any custom labels created by Splunk SOAR users. See Troubleshoot the Splunk App for SOAR Export for an example search that you can use to verify that you successfully added your label.
    Grouping Optional Select the check box if you want events forwarded to Splunk SOAR to be grouped into one container, rather than in separate containers.


    Requires that the Splunk Common Information Model (CIM), Splunk Enterprise Security (ES), or both are also installed in your Splunk instance.

    Worker Set Optional The search head or heavy forwarder that will send the notable events from Splunk ES to Splunk SOAR:
    Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.


    Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk SOAR.

  9. Click Run.

To view results for your Splunk SOAR instance and playbook, you must run the sync playbooks command from the Splunk SOAR Server Configuration page in the Splunk App for SOAR Export. See Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.

Last modified on 21 November, 2023
Create and export data models and saved searches to send to Splunk SOAR   Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.135


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters