Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Splunk App for SOAR Export release notes

The 4.1.135 version of the Splunk App for SOAR Export includes the following enhancements:

  • When sending notable events to Splunk SOAR using either Send to SOAR or Run Playbook in SOAR, you can now use the Grouping setting to select whether you want events passed to Splunk SOAR to be grouped into one container, rather than in separate containers. See Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR. This functionality requires that the Splunk Common Information Model (CIM), Splunk Enterprise Security (ES), or both are also installed in your Splunk instance.
  • The install/update process for Splunk App for SOAR Export no longer needs to check for updated versions. The check_for_updates flag has been removed from phantom/default/app.conf.


Fixed issues in this release

This version of the Splunk App for SOAR Export was released on August 25, 2022 and fixes the following issues.

Date resolved Issue number Description
2022-07-29 PAPP-25896 Event forwarding configuration UI is limited to 100 results.
2022-07-27 PAPP-26065 Alert action account entries require page refresh to be visible in UI after update.
2022-06-09 PAPP-19281 When creating a new event forwarding configuration, the configuration sometimes does not show up in the UI.

Known issues in this release

This version of the Splunk App for SOAR Export was released on August 25, 2022 and has the following known issues.

Date filed Issue number Description
2023-08-08 PAPP-31554 Artifact title missing in SOAR when posting via scheduled alert actions
2023-07-19 PAPP-31340 ES Notable multiline comments are not exported to SOAR

Workaround:
No workaround is available.
2021-11-26 PAPP-21689 Send to SOAR sometime throws "IndexError: list index out of range".
2021-05-19 PAPP-17108 Adaptive Response Relay produces error message in Cloud

Workaround:
Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps:
  1. Create the intended correlation search. For Triggered Actions, do not add the Send to Phantom alert action. Instead, only add the Create Notable alert action.
  2. Create a Saved Search Report.
    • Set permissions so that at least Splunk Enterprise Security and Phantom App on Splunk have permissions to read/write.
    • Set a schedule so the search runs on a regular basis.
    • Set the search so the notable is found and all fields are carried over. Include the sendalert in the search, that will look like this:
      index=notable | foreach _* [| eval "<<FIELD>>"='<<FIELD>>'+500] | sendalert sendtophantom param.phantom_server="automation (https://10.1.18.147) (ARR)" param.sensitivity="red" param.severity="high" param.label="events" param._cam_workers="[\"hf1\"]" param.relay_account="hf1"

If the key word _phantom_workaround_description is present in the results, then that is considered to be the original search description. This search description will be added to the SOAR container description.
For the search Test Alert Title, you can send its description by adding the following text to the workaround report's search:

| eval _phantom_workaround_description = [| rest /services/saved/searches/Test%20Alert%20Title | eval desc="\"".description."\"" |return $desc]

Last modified on 21 September, 2023
About the Splunk App for SOAR Export   Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.135


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters