Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Splunk App for SOAR Export release notes

Welcome to release 4.3.21

This release of Splunk App for SOAR Export was released on October 30, 2024.

Important: Upgrade information

If you are upgrading from a previous version of Splunk App for SOAR Export, note the following points:

  • It is now time to upgrade to Splunk App for SOAR Export versions 4.3.13 and later and stop using earlier releases. The newer releases use up-to-date Splunk APIs. For details, see the Search endpoint descriptions article in the Splunk Enterprise REST API Reference Manual documentation.

  • The upgrade process likely involves some down time, so plan to upgrade in a window when you do not expect much traffic.
  • Check the product compatibility requirements for exact version information. This release depends upon exact versions, especially of Splunk CIM (Splunk Common Information Model). After you perform the upgrade, no additional steps are required.
    For details, see the following documentation:
  • Send to SOAR functionality is not currently supported for finding-based detections, which are new in Splunk Enterprise Security version 8.0. Send to SOAR functionality is still supported for notables, which are now called event-based detections in Splunk Enterprise Security version 8.0.
  • A new session key replaces alert action config. The alert action config is no longer an available option for you to choose.

Updates

This release of Splunk App for SOAR Export includes the following updates:

Feature Description
phantom_forwarding.log file To limit its size, the phantom_forwarding.log file creates a new version when it reaches a certain size. Note that there will now be multiple files named phantom_forwarding.log, with sequential numbers appended (for example, phantom_forwarding.log.1, phantom_forwarding.log.2, and so on).
Updated notable query eval `get_event_id_meval`

Fixed issues in this release

This version of Splunk App for SOAR Export is a maintenance release and fixes multiple issues, including the following issues:

Date resolved Issue number Description
2024-09-16 PAPP-34180 Unable to create event forwarding with a saved search that contains special characters
2024-06-28 PAPP-34267 Error "A saved search with that name already exists" when more than 30 Event Forwarding configured

Known issues in this release

This version of Splunk App for SOAR Export has the following known issues. If there are no issues listed, there are currently no known issues in this release.

Date filed Issue number Description
2024-09-17 PAPP-34713 Event Forwarding failed sending events with error on Windows

Workaround:
  1. Disable the Event Forwarding.
  2. Edit the same saved search used by Event Forwarding, then select +Add Actions, then select Send to SOAR.

2024-09-06 PAPP-34682 Adaptive response action "Run Playbook in SOAR" playbook listing does not support double quotes

Workaround:
Use "Send to SOAR" action to send events to SOAR. On the SOAR side, configure playbook automation run.
Last modified on 30 October, 2024
  About Splunk App for SOAR Export

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.21


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters