Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Add and configure apps and assets to provide actions in

apps expand the capabilities of your instance by enabling connections to third party products and services. These third-party products and services provide actions you can run or automate in your playbooks. For example, the MaxMind app provides the geolocate ip action for your deployment.

supports apps written in Python 3. Python 2 is not supported after release 5.3.4.

You can upgrade existing apps or install new apps at any time without having to upgrade the entire platform.

Apps have full access to the operating system and there are no security restrictions on any app while it is running.

An asset is a specific configuration, or instance, of an app. An asset is configured with the information required to communicate with the third-party product or service, such as IP address, automation service account, username, and password.

For example, ships with a VMware vSphere app enabling to get information from and take actions against a vSphere host. You can use to start and stop VMs, take snapshots, and download memory snapshots for analysis. In order for the app to be able to communicate with your vSphere servers, you must provide login credentials such as the hostname or IP address. You might have multiple vSphere servers, such as several individual ESXi hosts, or you might have them centralized onto one vCenter server. To tell about a given vSphere server, create a vSphere asset and provide the address and credentials needed for that server. You can then create another vSphere asset with a different address and credentials if needed. When taking actions, you specify which asset the action is for.

This table shows how multiple vSphere assets are configured from a vSphere app:

app Configure multiple assets from a single app
VMware vSphere vSphere 1
  • IP address 192.168.1.1
  • User admin1, password example1
vSphere 2
  • IP address 192.168.1.2
  • User admin2, password example2
vSphere 3
  • IP address 192.168.1.3
  • User admin3, password example3

View your Splunk SOAR (On-premises) apps

ships with hundreds of apps already installed. You can find more apps on splunkbase, from other users, and even create your own. See apps overview in Develops Apps for .

Perform the following tasks to view the apps provided by on the Apps page.

  1. From the Home menu, select Apps to access the Apps page.
  2. View the list of configured apps on the Configured Apps tab. Any app that has at least one asset configured appears on this page. You can expand each asset to view the configured assets and available actions provided by the app. Select Configure New Asset to configure a new asset for the app. See Add a new asset.
  3. (Optional) Select Unconfigured Apps to view the list of apps installed on your instance that do not have at least one asset configured.
  4. (Optional) Select Orphaned Assets to review any assets that no longer have a corresponding app installed.

Install, update, or delete apps on Splunk SOAR (On-premises)

Navigate to the Apps page to install, update, or delete apps.

Install a new Splunk SOAR (On-premises) app

Perform the following steps to install a new app:

  1. Obtain the new app or develop a new app. See apps overview in Develops Apps for .
  2. From the Home menu, select Apps.
  3. Select Install App.
  4. Drag and drop a .tar or.rpm archive of the app into the file field, or navigate to the location of the app file on your system.
  5. Select Install.

You can install new apps from Splunkbase:

  1. From the Home menu, select Apps.
  2. Select New Apps.
  3. A list of available apps is displayed.
    1. If you do not see the app you are looking for, you can search apps by typing search terms into the search bar at the top of the list of apps.
  4. Select the app you want to install then select Install. If you want to install all available apps, select Install All.
    1. If you are prompted for your credentials, use your Splunk.com login information.

After installing an app using either method, the new app is available on the Unconfigured Apps tab of the Apps page.

For compatibility needs, you can install multiple versions of the same app. However, only one version of the app can be active at a time. To install an incompatible app or version, see Install or update an incompatible app or version later in this section.

Switching the active version of an app may have unintended consequences. For example, there might be differences among the actions, parameters, or output depending on the version of the app. Be sure to modify any playbooks as needed to be compatible with the active version of the app.

Update existing Splunk SOAR (On-premises) apps

To update an existing app, perform the following steps:

  1. From the Home menu, select Apps.
  2. Select App Updates.
  3. Select any apps with available updates.
  4. Select Update.

Install or update an incompatible app or version

Install incompatible apps or versions at your option. Splunk is not responsible for support or compatibility of unsupported or older, incompatible app versions you choose to install. Splunk supports only Splunk-developed compatible apps that are labeled as supported by Splunk.

You might choose to install an app that is not compatible with the version of you are running. You can run a command to turn off automatic version checking when installing Splunk apps, community apps, and custom apps.

To install or update an incompatible app or version by turning off version checking, follow these steps:

  1. In the command line, enter the following command:
    <PHANTOM_HOME>/bin/phenv python -m manage toggle_min_phantom_version_check --disable
  2. Follow the steps to install or update an app, as described earlier in this section.

To turn the minimum version checking back on again, enter the following command:
<PHANTOM_HOME>/bin/phenv python -m manage toggle_min_phantom_version_check --enable

To check whether the minimum version checking is turned on or off, enter the following command:
<PHANTOM_HOME>/bin/phenv python -m manage toggle_min_phantom_version_check --check

Delete a Splunk SOAR (On-premises) app

Perform the following steps to delete a app:

  1. From the Home menu, select Apps.
  2. Select the trash can (The trash can icon) icon for the app you want to delete.
  3. Select Delete to confirm you want to delete the app.

You can re-install any app that you deleted by downloading the app and installing the app again. See Install a new Splunk SOAR (On-premises) app.

View your Splunk SOAR (On-premises) assets

ships with one asset for the DNS, MaxMind, PhishTank, REST Data Source, and WHOIS apps already configured.

To view configured assets, perform the following tasks:

  1. From the Home menu, select Apps.
  2. Verify the Configure Apps tab is selected.
  3. In any app, select the arrow icon corresponding to configured assets to expand the section and view the assets. For example, if an app shows 3 configured assets, select the arrow to view the configured assets. You can hover over the asset to edit or delete the asset.

Add, edit, or delete a Splunk SOAR (On-premises) asset

Manage the assets in your instance. You can add a new asset, and edit or delete existing assets.

Add a new Splunk SOAR (On-premises) asset

Perform the following steps to create a new asset:

  1. From the Home menu, select Apps.
  2. Select Configure New Asset for the desired app.
  3. In the Asset Name field, enter a name for the asset such as firewall. This name is the one you use when referring to the asset in scripts. Specify the name as a string without spaces or punctuation.
  4. (Optional) In the Asset Description field, enter a longer and more descriptive name for this asset, such as Perimeter Firewall for the engineering network.
  5. (Optional) Enter one or more tags for the asset. You can use the same tag for multiple assets to group them together, and then perform actions on all assets with matching tags. See Add tags to objects in .
  6. Select Save.

The amount of configuration required for each asset is determined by the app. Some assets require additional configuration. For example, if you configure a QRadar asset, you must also configure settings on the Asset Settings and Ingest Settings tabs before you can save the configuration.

  • Most assets require authentication information so that can connect to the desired server or service. You can configure authentication for an asset on the Asset Settings tab.
  • Data ingestion settings, such as polling intervals and where to put the data once the data is ingested, are configured on the Ingest Settings tab. The destination for ingested data is called a container in .

If you need to connect to assets using the Splunk SOAR Automation Broker, see Configure Connectors to use the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

Edit a Splunk SOAR (On-premises) asset

Perform the following steps to edit a asset:

  1. From the Home menu, select Apps.
  2. Make sure the Configured Apps tab is selected.
  3. Select on the number of configured assets in the app to expand the section.
  4. In the table of configured assets, select the asset you want to edit.
  5. Select Edit, then make any desired changes. You can edit an asset's description, tags, settings, and approval settings. To change the asset name, you must delete the current asset and create a new asset with the desired name.
  6. Select Save.

Reassign an orphaned Splunk SOAR (On-premises) asset

You can now assign orphaned assets to an App from the user interface.

  1. From the Home menu, select Apps, then Orphaned Assets. Then select the orphaned asset.
  2. Select Assign App.
  3. In the dropdown menu, select the App, then select Assign.

Delete a Splunk SOAR (On-premises) asset

Perform the following steps to delete a asset.

  1. From the Home menu, select Apps.
  2. Make sure the Configured Apps tab is selected.
  3. Select on the number of configured assets in the app to expand the section.
  4. In the table of configured assets, select the asset you want to delete.
  5. Select Delete Asset.
  6. Select Confirm to confirm that you want to delete the asset.

Configure advanced asset settings

Configure advanced asset settings such as the concurrent action limit, just in time (JIT) credentials, automation users, asset environment variables, and proxies.

Set the concurrent action limit

You can run concurrent actions on an existing asset, or on a new asset by following these steps:

  1. From the Home menu, select Apps.
  2. Find the app you want to run an action on and select Configure New Asset. Or, to run concurrent actions on an existing asset, select your desired preexisting asset.
  3. Select the Asset Setting tab, then select Advanced.
  4. In the Concurrent Action Limit box, enter the number of concurrent actions you want to run on your asset. You can run up to 10 actions at once. Use caution when changing this limit as it can significantly affect performance.
  5. Run the actions on an asset; evaluate performance.

For information on setting the global action concurrency limit, see Set the global action concurrency limit.

Disable action lock or action concurrency

Within an action entry, the optional lock key defines a set of parameters that you can set to run actions concurrently.

  • A lock is represented by its name.
  • Multiple actions locking on the same name will be serialized even if the actions are from different apps.
  • In the absence of a lock dictionary, the platform runs the actions concurrently using the asset as the lock name.

To disable the lock for an action, the lock dictionary must be present and the "enabled" key set to false. When "enabled" is set to false, you can run as many concurrent actions as you like.

"lock": {
   "enabled": false,
   "data_path": "parameters.hash",
   "timeout": 600
}
Parameter Required? Description
enabled Required Boolean value that specifies if the lock is enabled or not for this action.
data_path Optional The name of the lock. Only valid if lock is enabled. This value is either a datapath that points to a parameter of the action with parameters.hash where hash is one of the parameters of the action, or a datapath that points to a configuration parameter for something like configuration.server. At runtime, the platform will read the values stored in these data paths and use it as the name of the lock. You can also use a constant string, for example, any string that does not start with configuration. or parameters.The platform will use this value as is. In case the data_path is not specified, the asset will be used as the lock name.
timeout Optional Specifies the number of seconds to wait to acquire the lock, before an error condition is reported.

If you have multiple actions with the lock enabled that are scheduled to run on an asset, you may want to exclude only some of them from running concurrently. To exclude a certain action from running concurrently, set concurrency to false in the app JSON. When both "enabled" and "concurrency" are set to true, you can run multiple actions concurrently up to the concurrent action limit. When "enabled" is set to true and "concurrency" is set to false, you can only run a single action.

"lock": {
   "enabled": true,
   "concurrency": false
}
Parameter Required? Description
enabled Required Boolean value that specifies if the lock is enabled or not for this action.
concurrency Optional By default concurrency is set to true to allow concurrent actions to run on an app. Set concurrency to false to opt out of concurrent actions running on an app.

If the lock is enabled on an action, but concurrency is set to false in the app.json, the action will not be counted in the concurrent action limit you set in Asset Settings.

Configure Just In Time Credentials for a Splunk SOAR (On-premises) asset

Some assets can be configured to use just in time (JIT) credentials, which require a user to type in credentials before any further action is taken. Use JIT credentials if your organization has policies against providing credentials in an automated manner, or if you are using one-time passwords.

To configure JIT credentials, perform the following steps:

  1. Navigate to the asset configuration page.
  2. Select the Asset Settings tab.
  3. Select Advanced to expand the section.
  4. Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. In the Enable Just in Time credentials for field, select the fields for which you want to enable JIT authentication. For example, select username and password to enable JIT for login credentials.
  6. Select Save.

Once enabled, JIT uses the asset's approval settings to determine the set of users that must supply the credentials to complete the action. See Configure approval settings for a asset.

To use JIT, you must have at least one approver set up for the asset. If you have selected multiple users that require a quorum to approve, then the last user (the one that would cast the final vote that causes the action to run) must be the one who supplies correct credentials. Earlier users can supply credentials, but the last user supplies the set that is actually used. Anything entered before that user is overwritten by the last user. Note that even if you have "Automatic self-approval" configured in for your own approval vote, you still receive a JIT prompt when credentials are required.

Configure automation users for a Splunk SOAR (On-premises) asset

Define the automation user to specify the service account uses to run the asset. The default account is the automation account provided by .

Perform the following tasks to create a custom automation user in :

  1. Navigate to the asset configuration page.
  2. Select the Asset Settings tab.
  3. Select Advanced to expand the section.
  4. Select Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
  5. In the Select a user on behalf of which automated actions can be executed (e.g. test connectivity, ingestion) field, select the desired automation user.
  6. Select Save.

Configure environment variables for a Splunk SOAR (On-premises) asset

Global environment variables precedence over any configured in an asset.
Perform the following tasks to set environment variables for a asset:

  1. Navigate to the asset configuration page.
  2. Select the Asset Settings tab.
  3. Select Advanced to expand the section.
  4. Select Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
  5. Select + Variable to add a new environment variable.
  6. Enter the name and value of the variable.
  7. (Optional) Select Secret to encrypt the value so that it is not displayed in the web interface.
  8. (Optional) Select + Variable to add more variables as needed.
  9. Select Save.

See Configure proxies for a asset for information on how to set environment variables so that the asset can use a proxy.

Configure proxies for a asset

Perform the following steps to configure the environment variables needed for the app to communicate with a proxy:

  1. Navigate to the asset configuration page.
  2. Select the Asset Settings tab.
  3. Select Advanced to expand the section.
  4. Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. Select + Variable to add a new environment variable.
  6. Configure the HTTP_PROXY, HTTPS_PROXY, or NO_PROXY variables depending on the type of proxy connection.
    • For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example:
      <Protocol>://<Hostname/IP>:<Port>
    • For NO_PROXY configurations, include the IP address, hostname, or domain of the asset.
  7. (Optional) Select Secret to encrypt the value so that it is not displayed in the web interface.
  8. Select Save.

The table shows an example of how to configure HTTP, HTTPS, and no proxy for a asset. For apps that use requests, configuring both HTTPS and HTTP environment variables directs all app traffic through the proxy server.

Proxy Name Proxy Value
HTTP_PROXY http://192.168.13.1:80
HTTPS_PROXY https://192.168.13.100:8800
NO_PROXY 127.0.0.1, localhost, localhost.localdomain

When configuring the system to use an HTTP or HTTPS proxy, Splunk SOAR (On-premises) requires that you except calls to the loopback interface from the proxy list. You must set the environment variable '''NO_PROXY''' to include 127.0.0.1, localhost, and localhost.localdomain so that REST calls can be made on the loopback interface without being diverted to the proxy.

Configure ingest settings for a Splunk SOAR (On-premises) asset

Data ingestion settings are available for assets such as QRadar, Splunk, and IMAP. Perform the following steps to configure ingestion settings for a asset:

  1. Navigate to the Asset Configuration page.
  2. Select the Ingest Settings tab.
  3. Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  4. In the Label to apply to objects from this source field, select a container label you want to apply to objects from this source. You can also type in a new label name.
  5. (Optional) Configure a polling interval for the asset to ingest data.
    • Select Interval to configure the number of minutes between polls.
    • Select Scheduled to view additional options and intervals.
  6. (Optional) Some assets have a Process Missed Jobs checkbox. Check this box if you want to process any missed jobs. Jobs can be missed in cases where is not running, or one poll didn't complete before the next one started.
  7. Select Save.

Configure approval settings for a Splunk SOAR (On-premises) asset

Assets created with no approvers run immediately. It is usually an acceptable company policy for an asset providing a whois lookup action. For assets such as firewalls, company policies usually restrict access to the ability to change firewall settings. Any actions performed on a firewall asset must go through the approval process.

Configure the approval settings for a asset to determine who must approve the actions taken against the asset. See Approve actions before they run in in the Use manual.

To configure approval settings for an asset, perform the following steps:

  1. Navigate to the asset configuration page.
  2. Select the Approval Settings tab.
  3. Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  4. Select the users and roles you want to configure as primary approvers. Select the arrow keys to add or remove users and roles to the Primary Approvers field.
  5. Select the number of required primary approvers from the drop-down list in the Required primary approvers field.
  6. Select the users and roles you want to configure as secondary approvers. Select the arrow keys to add or remove users and roles to the Secondary Approvers field.
  7. Select the number of required secondary approvers from the drop-down list in the Required secondary approvers field.
  8. Select Save.

Configure Executive approvers for a asset

When all SLA escalations expire without being acted on Executive approvers receive an SLA breach notification. To configure Executive approvers, follow these steps:

  1. From the main menu select Administration then Response.
  2. On the Response page uncheck Automatic self-approval.
  3. Search for and select one or more Executive approvers from the list.
  4. Select Save Changes.

Configure the tenant assigned to a Splunk SOAR (On-premises) asset

Assign a tenant to an asset to separate data and make sure that the asset is only used with the container with the same tenant. You can only assign tenants to an asset if multi-tenancy is configured and enabled in . See Configure multiple tenants on your instance.

Perform the following steps to assign a tenant to a asset:

  1. Make sure multi-tenancy is enabled on your instance.
  2. Navigate to the asset configuration page.
  3. Select the Tenants tab.
  4. Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. Select the desired tenants from the Available Tenants box and select the arrows to move them to the Mapped to Asset box.
    • Non-ingestion assets that do not have a tenant assigned are available to all tenants. You can assign multiple tenants to a non-ingestion asset.
    • Ingestion assets must have one tenant assigned. You can't assign multiple tenants. If no tenant is selected in the asset configuration, the default system tenant is assigned to the asset and any containers created by the asset.
  6. Select Save.
Last modified on 24 April, 2024
Manage warm standby features and options   Assess app and asset connectivity and ingestion

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.0, 6.1.1, 6.2.0, 6.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters