Install the Splunk App for SOAR Export on Splunk Cloud Platform
Installing the Splunk App for SOAR Export on Splunk Cloud Platform is a 2-step process. Be sure to complete both parts of the process.
1. Work with your support team to meet Splunk Cloud Platform requirements
Work with your support team to make sure your Splunk Cloud Platform environment is ready to install the Splunk App for SOAR Export:
The steps in this section are required for proper functioning of the Retry feature, which is responsible for preventing data loss. In the event of a disconnection between Splunk Cloud Platform and Splunk SOAR, the Retry feature will send events when the systems are reconnected.
To verify that your Splunk Cloud Platform environment is ready to install the Splunk App for SOAR Export, follow these steps:
- The Splunk App for SOAR Export requires that a user with administrative privileges installs both Splunk App for SOAR Export and Splunk software. In situations where events can't be sent from Splunk Cloud Platform to Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. Splunk App for SOAR Export automatically runs the
phantom_retry.py
script every 60 seconds to try to send any events that could not be sent earlier. - Confirm with the support team to make sure that the user invoking the
phantom_retry.py
script has phantom role permissions. - Your Splunk SOAR instance must be running in the DMZ or perimeter network with the appropriate firewalls or reverse proxies to support internal connectivity.
- Submit a support request to the Splunk Cloud Platform team to assist you with TLS certificate configuration.
- Splunk SOAR requires a publicly valid certificate chain. The cacerts.pem file must be configured into a single PEM certificate file with the server, intermediate, and root certificates.
2. Install Splunk App for SOAR Export in Splunk Cloud Platform
To install Splunk App for SOAR Export, follow these steps:
- In Splunk Cloud Platform, select the Apps gear icon.
- Select Browse more apps.
The Splunk App Browser opens. - In the search field, enter SOAR Export.
- Locate Splunk App for SOAR Export, then select Install.
- Enter your Splunk.com login credentials (username and password).
- Select Agree and Install.
This confirms that you accept the license terms and installs the app on your deployment.
Check prerequisites for Splunk App for SOAR Export on Splunk Cloud Platform | Upgrade Splunk App for SOAR Export on Splunk Cloud Platform |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3, 4.3.2
Feedback submitted, thanks!