Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Perform and check prerequisites for Splunk App for SOAR Export on Splunk Cloud Platform

Verify that your environment is ready to use the Splunk App for SOAR Export to integrate Splunk SOAR with your Splunk deployment.

Required user privileges and ports

Verify the following user privileges and ports:

  • By default, Splunk SOAR must have TCP ports 443 and 8089 open to and from Splunk Enterprise Security (ES) search heads.
    If you are using other TCP ports to connect to Splunk Enterprise Security search heads, substitute those ports. Be consistent with the substituted TCP port numbers.
  • In your on-premises deployment, verify that you have the necessary network availability among all devices.

Work with your support team to meet Splunk Cloud Platform requirements

Work with your support team to make sure your Splunk Cloud Platform environment is ready to install the Splunk App for SOAR Export:

  1. The Splunk App for SOAR Export requires that a user with administrative privileges installs both the Splunk App for SOAR Export and Splunk software. In situations where events can't be sent from Splunk Cloud Platform to Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. The Splunk App for SOAR Export requires the admin user to run the phantom_retry.py script every 60 seconds to try to send any events that could not be sent earlier. If the user invoking the phantom_retry.py script is not the admin user, submit a support request to to the Splunk Cloud Platform team to modify the local/inputs.conf file to contain:
    [script://$SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_retry.py]
    passAuth = <username>
    
    Also make sure the local/inputs.conf file does not change ownership or permission.
  2. Confirm with the support team to make sure that the user invoking the phantom_retry.py script has phantom role permissions.
  3. Your Splunk SOAR instance must be running in the DMZ or perimeter network with the appropriate firewalls or reverse proxies to support internal connectivity.
  4. Submit a support request to the Splunk Cloud Platform team to assist you with TLS certificate configuration.
  5. Splunk SOAR requires a publicly valid certificate chain. The cacerts.pem file must be configured into a single PEM certificate file with the server, intermediate, and root certificates.

Splunk product compatibility requirements

Use this matrix to determine the compatibility of the Splunk App for SOAR Export with certain versions of Splunk Cloud Platform or Splunk Enterprise and Splunk SOAR (Cloud) or Splunk SOAR (On-premises). You can use all versions that appear in a single row interchangeably. Splunk Enterprise Security is not required for Splunk App for SOAR Export.

Notations like Splunk Enterprise Security versions 6.5.1, 6.5.x mean that Splunk Enterprise Security version 6.5.1 or any 6.5.x release later than 6.5.1 is required.

Splunk App for SOAR Export version Splunk Enterprise version Splunk Cloud Platform version Splunk Enterprise Security version Splunk SOAR (On-premises) version Splunk SOAR (Cloud) Version
4.1.135
(CIM version 5.0.1)
9.0.4, 9.0.3, 9.0.2, 9.0.1 9.0.2209 7.0.2 6.0.0 6.0.0
9.0.1 9.0.2209 7.0.2 5.4.0 5.4.0
9.0.0 9.0.2209, 9.0.2208 7.0.1 6.0.0, 5.5.0, 5.4.0, 5.3.5, 5.3.4 6.0.0, 5.5.0, 5.4.0, 5.3.5, 5.3.4
8.2.8 9.0.2205, 9.0.2203, 9.0.2202 7.0.1 5.3.4 5.3.4
4.1.117
(CIM version 4.18.0)
9.0.2205 7.0.1 5.3.2-5.3.4 5.3.2-5.3.4
8.2.2203 7.0.1 5.3.0-5.3.2 5.3.0-5.3.2
8.2.2202, 8.2.2201, 8.2.2112 7.0.0 5.3.0, 5.2.1 5.3.0, 5.2.1
9.0.0 7.0.1 5.3.0-5.3.4 5.3.0-5.3.4
8.2.4 7.0.1, 7.0.0 5.3.1, 5.3.0, 5.2.1 5.3.0, 5.2.1
4.1.73
(CIM version 4.18.0)
8.2.2201 7.0.0 5.2.0 5.2.0
8.2.2112 6.6.2 5.1.1 5.1.1
8.2.211 6.6.2 5.1.0 5.1.0
8.2.2109 6.6.1 5.1.0, 5.0.1 5.1.0, 5.0.0
8.2 8.2.2107, 8.2.2106, 8.2.2105 6.6.1 5.0.1 5.0.0
4.1.3
(CIM version 4.18.0)
8.2 8.2.2107, 8.2.2106, 8.2.2105, 8.2.2104.1 6.6.0, 6.6.x 4.10.4, 4.10.x 4.12.0.56045, 4.12.x
8.1 8.1.2103 6.6.0, 6.6.x 4.10.4, 4.10.x 4.12.0.56045, 4.12.x
4.0.35
(CIM version 4.18.0)
8.2, 8.2.x 8.2.2104.1, 8.2.2103, 8.2.2011, 8.1.2009, 8.0, 7.3 6.5.0, 6.5.x 4.10.1.45070, 4.10.x N/A
8.1, 8.1.x 8.1.2101, 8.1.2012, 8.1.2009 6.2.0, 6.2.x 4.10.0.40025, 4.10.x N/A
8.1, 8.1.x 8.1.2101, 8.1.2012, 8.1.2009 6.4.1, 6.4.x 4.10.0.40025, 4.10.x N/A
8.0 8.0 6.1.1, 6.1.x 4.10.0.40025, 4.10.x N/A
8.0 8.0 6.4.1, 6.4.x 4.10.0.40025, 4.10.x N/A
7.3 7.3 5.3.1, 5.3.x 4.10.0.40025, 4.10.x N/A
4.0.10
(CIM version 4.18.0)
8.0.3 8.0.3 6.1.1, 6.1.x, 6.2.0, 6.2.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A
7.3.5 7.3.5 5.3.1, 5.3.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A
7.2.10.2 7.2.10.2 5.3.1, 5.3.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A
3.0.5
(CIM version 4.8.0)
8.0 N/A 6.0.0, 6.0.x 4.6.19142, 4.6.x N/A
7.3.3 N/A 5.3.1, 5.3.x 4.6.19142, 4.6.x N/A

Required apps

Make sure you have the following apps installed on your Splunk Cloud Platform:

App Description
Splunk App for SOAR Export (this app) Download the Splunk App for SOAR Export from Splunkbase. This app is required to map event fields to CEF format, then forward those events to Splunk SOAR.
Common Information Model Download the Splunk Common Information Model (CIM) from Splunkbase. If you have Splunk Enterprise Security (ES) installed, you don't need to download this library as it is already included with Splunk ES.


This app is required for the automated mapping models in adaptive response actions on Splunk Cloud Platform to work correctly.

Last modified on 08 February, 2024
Upgrade Splunk App for SOAR Export on Splunk Enterprise   Install the Splunk App for SOAR Export on Splunk Cloud Platform

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters