About Splunk App for SOAR Export
Splunk SOAR can use the Splunk platform as a source of data by ingesting events. Splunk App for SOAR Export, formerly known as Phantom App for Splunk, is required to configure Splunk Enterprise or Splunk Cloud Platform as a data source for getting data into Splunk SOAR.
Splunk App for SOAR Export is available on Splunkbase.
What does Splunk App for SOAR Export do?
The following image shows an example of how a standalone Splunk SOAR instance is integrated with a Splunk platform environment.
Splunk App for SOAR Export is installed as an app on the Splunk platform and forwards events to Splunk SOAR. The Splunk platform environment consists of raw events or Common Information Model (CIM) data, while Splunk SOAR uses the Common Event Format (CEF). Splunk App for SOAR Export acts as a translation service between the Splunk platform and Splunk SOAR by performing the following tasks:
- Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF fields.
- Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.
- Forwarding events in CEF format to Splunk SOAR, which are stored as artifacts.
How Splunk SOAR integrates with the Splunk platform
The following image shows how Splunk SOAR is integrated into a Splunk environment.
Before you install Splunk App for SOAR Export, make sure you review the requirements.
- If you are using Splunk Enterprise, see Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise.
- If you are using Splunk Cloud Platform, see Check prerequisites for Splunk App for SOAR Export on Splunk Cloud Platform.
Splunk App for SOAR Export release notes | Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3, 4.3.2
Feedback submitted, thanks!