Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR
You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk SOAR. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.
Notable events appear as artifacts in Splunk SOAR. If you create a correlation search for an adaptive response action that creates a notable, along with your Send to SOAR or Run Playbook in SOAR request, the event_id of the notable is also sent to Splunk SOAR as a CEF value in the artifact.
To send notable events with a heavy forwarder, use adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.
If your SOAR connection is not successful, you can save events to be sent to SOAR later. Events cannot be saved to be sent later if their key names contain periods.
Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk SOAR:
- In Splunk Web, navigate to the Splunk Enterprise Security app.
- Select the Incident Review tab.
- From the time range picker, select the time period to view the data, and select Submit. Notable events from your selected time range appear in a table.
- For a notable event, in the Actions column, select Run Adaptive Response Actions.
- In the Adaptive Response Actions dialog, select Add New Response Actions.
- Select the desired response action:
- Select Send to SOAR to send an artifact to Splunk SOAR.
- Select Run Playbook in SOAR to send an artifact to Splunk SOAR while running a playbook.
- In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
Field Required? Description SOAR Instance Required - If you are running a Send to SOAR adaptive response action, select the Splunk SOAR instance you are connecting to.
- If you are running a Run Playbook in SOAR adaptive response action, select the Splunk SOAR instance you are connecting to and playbook you want to run.
Sensitivity Optional (Recommended) Sensitivity level for the forwarded event.
Specify a sensitivity level for your search. If you do not specify a setting, Sensitivity is set as the value used in Splunk SOAR. The Splunk SOAR sensitivity default value is TLP: Amber.Severity Required Severity level for the forwarded event.
Any custom severity levels you created in Splunk SOAR appear in this list. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to a Splunk SOAR server or Splunk SOAR in this user guide and Create custom severity names in the Splunk SOAR documentation.Label Optional Label for the forwarded event. Your label must match a label that exists in Splunk SOAR, such as the default label events or any custom labels created by Splunk SOAR users. See Troubleshoot the Splunk App for SOAR Export for an example search that you can use to verify that you successfully added your label. Grouping Optional Select the check box if you want events forwarded to Splunk SOAR to be grouped into one container, rather than in separate containers.
Requires that the Splunk Common Information Model (CIM), Splunk Enterprise Security (ES), or both are also installed in your Splunk instance.Container Name Optional Name for the container created in Splunk SOAR. Choose one of the following options as the name of the container: - Search Name uses the name of the adaptive response action. (Default value)
- Source uses the source of the event that triggered the adaptive response action.
Worker Set Optional The search head or heavy forwarder that will send the notable events from Splunk ES to Splunk SOAR: - Select local (default value) to use the current search head to send notable events or run playbooks on Splunk SOAR without using adaptive response relay.
- Select the heavy forwarder you want to send notable events or run playbooks on Splunk SOAR when using adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.
Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.
Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk SOAR. - Select Run.
If you specified a description in your correlation search, that description is also sent to Splunk SOAR as the container description.
To view results for your Splunk SOAR instance and playbook, you must run the sync playbooks command from the Splunk SOAR Server Configuration page in the Splunk App for SOAR Export. See Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.
Run adaptive response actions using the sendalert command
The graphical user interface is the preferred method for running adaptive response actions. If you choose, you can also use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk SOAR instance.
The sendalert command values are case sensitive cannot include extra spaces. To ensure you are using the correct parameter values, copy the values from the Alert Action user interface, described earlier in this article.
Send to SOAR request
Here is an example of a sendalert command for a Send to SOAR (sendtophantom) request:
| makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="automation (https://10.1.18.201)" param.sensitivity="amber" param.severity="low" param.grouping="1" param.label="events" param._cam_workers="[\"local\"]"
If the sendalert command runs successfully, the phantom_sendtophantom_modalert.log file includes an entry like this:
2024-03-12 15:20:09,420 INFO pid=19991 tid=MainThread file=cim_actions.py:message:436 | sendmodaction - worker="localhost.localdomain" signature="Running action 'sendtophantom' to forward a single event to 'automation (https://10.1.18.201)' and grouped into a single container" action_name="sendtophantom" sid="1710282002.4286" rid="0" app="search" user="admin" digest_mode="1" action_mode="adhoc" action_status="success"
The following table provides basic information for the sendalert command parameters for a sendtophantom request. For more detailed descriptions, refer to the table in the section on using the graphical user interface.
Field | Required? | Data type | Description |
---|---|---|---|
param.server_playbook_name | Required | <string> | server_playbook_name |
param.severity | Required | <string> | severity |
param.sensitivity | Optional (Recommended) | <string> | sensitivity |
param.label | Optional | <string> | label |
param.grouping | Optional | <string> | grouping 1 = grouped 0 = not grouped |
param.relay_account | Optional | <string> | relay_account (the Alert Action Account) |
param.container_name | Optional | <string> | search_name (default) or source. |
param._cam_workers | Optional | <string> | adaptive response relay worker Use "[\"local\"]" if running locally. For example: param._cam_workers="[\"local\"]" |
Run Playbook in SOAR request
Here is an example of a sendalert command for a Run Playbook in SOAR (runphantomplaybook) request:
| makeresults | eval src_ip="123.45.66.77" | sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"
If the sendalert command runs successfully, the phantom_runphantom_playbook_modalert.log file includes an entry like this:
2024-03-19 14:55:09,308 INFO pid=9630 tid=MainThread file=cim_actions.py:message:436 | sendmodaction - worker="lab1" signature="Running action 'runphantomplaybook' to forward multiple events to 'Default'" action_name="runphantomplaybook" sid="1710885307.6685" rid="0" app="search" user="admin" digest_mode="1" action_mode="adhoc" action_status="success"
The following table provides basic information for the sendalert command parameters for a runphantomplaybook request. For more detailed descriptions, refer to the table in the section on using the graphical user interface.
Field | Required? | Data type | Description |
---|---|---|---|
param.server_playbook_name | Required | <string> | name of the server and playbook to run |
param.severity | Required | <string> | severity |
param.sensitivity | Optional (Recommended) | <string> | sensitivity |
param.label | Optional | <string> | label |
param.grouping | Optional | <string> | grouping 1 = grouped 0 = not grouped |
param.relay_account | Optional | <string> | relay_account |
param.container_name | Optional | <string> | search_name (default) or source |
param.search_description | Optional | <string> | description of saved search or correlation search |
param._cam | Optional | <json> | active response parameters |
param._cam_workers | Optional | <string> | adaptive response relay worker Use "[\"local\"]" if running locally. For example: param._cam_workers="[\"local\"]" |
Troubleshooting the sendalert command
In some cases, you might see an error like this from the sendalert command:
Error in 'sendalert' command: Alert script returned error code 3
To find the cause of the error, follow these steps:
- Open a new browser tab for the Splunk platform. Navigate to the Search tab.
- In the Search field, enter one of the following searches, based on your sendalert command:
index="cim_modactions" | search sendtophantom
index="cim_modactions" | search runphantomplaybook
- A list displays, showing all sendtophantom or runphantomplaybook events. Select the arrow next to the most recent event to expand its details. You might see a message about a missing required field or a mismatched value.
- Return to your original browser tab for the Splunk platform, update the sendalert command, and run it again.
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3
Feedback submitted, thanks!