Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Configure forwarders to send SOAR data to your Splunk deployment

Starting in release 6.2.0, the embedded instance of Splunk Enterprise has been replaced with Universal Forwarders. These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment.

If your organization does not send your data to a Splunk Cloud Platform Deployment or Splunk Enterprise deployment, you do not need to configure forwarders.

Splunk SOAR (On-premises) includes the compatible, supported universal forwarder version. Do not upgrade to another universal forwarder version between Splunk SOAR releases.

After upgrading to Splunk SOAR (On-premises) release 6.2.0 or higher, you no longer require the user accounts phantomsearch and phantomdelete on your Splunk Enterprise or Splunk Cloud Platform deployment.

Support was added for new data types that you can send from 6.2.0 to Splunk Cloud Platform or your dedicated Splunk Enterprise deployment.

  • Audit logs: Records of all activities in .
  • Playbook run: Playbook performance metrics, including resource scoring data. See note at the end of this list.
  • SOAR logs: Information about , based on app logs.
  • Splunk Addon For Linux Logs: System logs from for use with Splunk IT Service Intelligence.

You will need to make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for Splunk SOAR (On-premises) daemons.

If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

Configure data forwarding

This section applies if you are forwarding data from to either an external instance of Splunk Enterprise or Splunk Cloud Platform.

You must complete these steps to ensure your data can be forwarded.

Configure a Universal Forwarder Credentials Package

If your organization forwards data to a Splunk Cloud Platform deployment, you need to use a Universal Forwarder Credentials Package to configure your forwarders.

You will need to make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for Splunk SOAR (On-premises) daemons.

If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

To configure your forwarders with with a Universal Forwarder Credentials Package, follow these steps:

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. Conditional: If your Splunk Cloud Platform deployment is in a restricted access category, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
  3. In , upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
    2. Click the +Install Credentials Package button.
    3. Drag and drop, or click the large box to select and upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
    4. In the Name field, type a name for your forwarder group (do not use the name splunk). This name is displayed on the Forwarder Settings page.
    5. Select all of the data types you want to forward to your Splunk Cloud Platform deployment. You must select at least one data type to forward.
  4. Make sure the Enabled slider button is in the on position.
  5. Click Save.

Configure forwarding to a Splunk Enterprise deployment

If your organization forwards data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Select +New Group.
  3. In the Add a new forwarder group dialog do the following:
    1. In the Name field, type a name for your forwarder group. This name is displayed on the Forwarder Settings page.
    2. Conditional: If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field. See Control forwarder access.
    3. In the Indexers field, add the address for your indexer.Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
    4. Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
  4. Make sure the Enabled slider button is in the on position.
  5. Click Save.

After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment.

Configure Splunk SOAR (On-premises) to forward information to ElasticSearch

When you configure to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance.

Verify the following requirements before configuring the external Elasticsearch instance:

  • If you are using SSL to secure your connection to the Elasticsearch instance, the SSL certificate is imported to the Splunk Phantom certificate store.
  • You know the host name and port for the Elasticsearch instance.
  • You know the username and password of an Elasticsearch user account, or the client certificate and client key.

Perform the following tasks to connect to an external Elasticsearch instance:

  1. From the main menu in , select Administration.
  2. Select Administration Settings.
  3. Select Forwarder Settings.
  4. Click the button labeled +Configure Elastic Search.
  5. On the Configure Elastic Search dialog, add the settings for your Elasticsearch instance:
    1. In the Host field, type the hostname and port for your Elasticsearch instance.
    2. In the Username field, type the username required to log in to your Elasticsearch instance.
    3. In the Password field, type the password required to log in to your Elasticsearch instance.
  6. Conditional: Select the Use SSL check box to enable SSL.
  7. Conditional: If your Elasticsearch instance is version 6 or higher, select the Use one index per section check box.
  8. Conditional: If you are using certificate-based authentication, select the Client Authentication check box.
    1. Type the name of the client certificate in the Client Certificate field. This certificate is often a file with the .pem extension.
    2. Type the name of the to client key in the Client Key field. This key is often a file with the .key extension.
  9. Data types for Elasticsearch are already configured for you.
  10. When you are finished, click the button labeled Save.

If you want to use a client certificate to connect to your Elasticsearch instance, provide the paths on the Splunk SOAR instance's operating system to the public and private keys. The private key, often a file with the .pem extension, is the Client Certificate. The public key, often a file with the .key extension, is the Client Key. Both files must be added to the Splunk SOAR (On-premises) Certificate store. See Splunk SOAR (On-premises) certificate store overview for more information on the Certificate Store.

Data types and corresponding indexes

This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.

Splunk SOAR Data type Index in Splunk Enterprise/Splunk Cloud Platform
Action run phantom_action_run
App phantom_app
App run phantom_app_run
Artifact phantom_artifact
Asset phantom_asset
Audit log _audit
Container phantom_container
Container attachment phantom_container_attachment
Container comment phantom_container_comment
Custom function phantom_custom_function
Custom list phantom_decided_list
Note phantom_note
Playbook phantom_playbook
Playbook run phantom_playbook_run
You must create this index before forwarding data.
SOAR logs splunk_app_soar
Splunk addon for Linux logs os

See Also

For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.

Last modified on 02 May, 2024
Configure search in   Configure Google Maps for visual geolocation data

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters