Verify that data can be pushed from the Splunk platform to Splunk SOAR
Perform the following steps to verify that data can be pushed from the Splunk platform to Splunk SOAR. In this example, we will send an event with the IP address 123.45.66.77 to a Splunk SOAR server named "Default Splunk SOAR":
- If you are not using Splunk Enterprise Security (ES), make sure you have installed the Splunk Common Information Model (CIM) app from Splunkbase.
- On your Splunk platform, go to the Search & Reporting app.
- Enter the following search:
| makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk SOAR" param.sensitivity="amber" param.severity="low" param.label="events"
- Log in to your Splunk SOAR instance.
- From the Main Menu, select Sources and verify that there is an Ad hoc search result.
- Click on Ad hoc search result.
- Verify that the source IP, 123.45.66.77 in our example, exists as an artifact.
If you do not see the artifact, review the job log for any errors, and validate network connectivity over TCP port 443 from the Splunk search head to Splunk SOAR.
Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR | Create and export data models and saved searches to send to Splunk SOAR |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135, 4.2.3, 4.3.2
Feedback submitted, thanks!