Skip to main content

 

Splunk Lantern

The Splunk platform as a SOAR appliance

 

The Splunk platform and Splunk SOAR interact with each other in multiple ways to improve your organizational security processes. The Splunk platform can be:

  • a data source
  • an appliance
  • a monitoring and reporting tool

This article explains how the Splunk platform functions as an appliance for Splunk SOAR through the Splunk App/Connector. It covers some best practices and recommendations regarding supported actions and configuration. For more comprehensive documentation on how to use this app, see the SOAR Connectors GitHub.

The information below applies to SOAR and Splunk Enterprise Security (ES) integrations versions prior to ES 8.x. ES 8 introduced a streamlined and direct integration with SOAR. For more information on that integration, see Pair Splunk Enterprise Security with Splunk SOAR.

To learn about the other ways that the Splunk platform and Splunk SOAR interact, see Demystifying apps for the Splunk platform and SOAR.

The Splunk App functions as an appliance, which is a custom solution running on the Splunk platform that packages specific files and settings to address specific use cases. The most common of these use cases are listed here: One of these use cases is to function as an ingestion app. Like any SOAR app with "on poll" action, it can pull data from a third-party appliance (in this case, the Splunk platform, and bring it into SOAR.

  • Test connectivity. Validate the asset configuration for connectivity. This action logs into the device to check the connection and credentials.
  • Get host events. Get events pertaining to a host that have occurred in the past X many days.
  • Run query. Run a search query on the Splunk device. When you do this, be sure to escape any quotes that are part of the query string. Note that you can also use playbooks to run queries.
  • Update event. Update the status of a notable event in Splunk Enterprise Security or add comments to it after the SOAR actions are complete. To do this, you need the notable ID.
  • Post data. Create an event on the Splunk platform.
  • On poll. Ingest from the Splunk platform. It queries the Splunk platform and creates a container/event in SOAR for each query result. Query configuration is set in the app configuration, described in the next section.

If it is not possible to push data to SOAR using the Splunk App for Export because of network access issues (for example, sending data from Splunk Cloud Platform to SOAR on-premises), using the Splunk App is the recommended method to pull events from the Splunk platform into SOAR. This method will be more effective than using adaptive response relay.

Configuration

You can find this app in the Apps section of the Splunk SOAR user interface. Select Apps from the dropdown menu and then search for Splunk. When you have selected it, the configuration options are displayed. The Asset Settings tab is the most important.

  1. In the Device IP/Hostname, enter the Splunk platform IP or hostname.
  2. Enter the Splunk platform REST port.
  3. You can use either account credentials (username and password) or an API token to access the Splunk platform. The credentials provided must have access to the indexes and events that you would like to access in SOAR.
  4. Set the Splunk Server Timezone.
  5. In the Query to use with On Poll field, you can configure a query. This will pull events from the Splunk platform into SOAR. However, it is a best practice to create a saved search in the Splunk platform for this query and to access the saved search in these configuration fields. To do so, use the "Saved Search" command in the Command for query to use with On Poll field. This way, you managing all your saved searches in the Splunk platform and this configuration acts a reference. Any changes in the Splunk platform will be reflected here.

    You don’t have to configure this setting if you don’t use the app for ingestion.

You'll also want to configure the Ingest Settings tab carefully. Similar to Splunk App for Export, you can schedule ingestion using a cron job-like configuration. This tab asks you to select a label to apply to every event ingested with this asset. You can either create a separate asset for each label (saved search) or create an ingestion playbook that selects the label based on the event information.

Additional resources

Now that you've learned how to set up the Splunk platform as a data source for Splunk SOAR, learn how to use it as: