Skip to main content
Lantern Home

 

Splunk Lantern

The Splunk platform as a SOAR monitoring and reporting tool

  1. Last updated
  2. Save as PDF

 

The Splunk platform and Splunk SOAR interact with each other in multiple ways to improve your organizational security processes. The Splunk platform can be:

  • a data source
  • an appliance
  • a monitoring and reporting tool

This article explains how the Splunk platform functions as a monitoring and reporting tool for Splunk SOAR through the Splunk App for SOAR. It covers some best practices and recommendations for configuration and reporting. For more comprehensive documentation on how to use this app, see Learn about Splunk App for SOAR.

To learn about the other ways that the Splunk platform and Splunk SOAR interact, see Demystifying apps for the Splunk platform and SOAR.

The Splunk SOAR architecture contains a number of programs and services running that log data you might want to analyze. For example, you might want to pull logs from the daemons running so you can look for errors and basic monitoring. You might also want to access all the information on SOAR activity that gets logged into the Postgres database.

However, the reporting options available on the SOAR interface home page are limited. When you log in, you'll see panels for automation ROI, active users, events, and playbook and action run history. But your customization options are limited. Even the time picker only lets you choose from preselected values. This is likely not enough to keep your deployment healthy and meet the needs of your SOC.

The solution is to use the Splunk App for SOAR for better reporting. This app contains far more dashboards and panels than are in SOAR natively, including extensive information on SOAR containers, which are events or notables. You can also search notes in the containers, to see what information was added to cases in SOAR.

Configuration

To install this app, you must configure both the Splunk platform and Splunk SOAR.

You can install the Splunk App for SOAR either from the Apps page of Splunk Enterprise or from Splunkbase. When you've done that, the first thing you'll need to do in the app configuration is enter credentials for your SOAR instance.

After entering your credentials, you'll go to your SOAR interface and complete the following:

  1. Ensure that you have an Automation type user set up. This is required for REST access to SOAR.
  2. For the username, best practice is to use a name specific to the service, so in this case, you should update the default "automation" name to something like "splunk_automation". Because you'll have a unique automation user for each service, this naming convention will prevent confusion.
  3. For the allowed IPs:
    • For testing purposes, you can use "any" to prevent wrong IPs being an issue that might cause troubleshooting.
    • For production, specify an IP or IP block of your Splunk instance, in CIDR notation.
  4. Authorization credentials are generated automatically, and you can click Show Token to see them in plain text. Copy this token to use in the next set of instructions.
  5. Add the roles required for the app.

Then return to the app configuration in Splunk Enterprise.

  1. Paste in the authorization token.
  2. Provide a name for the server.
  3. Click Save.
  4. In the Advanced Options section, select the option to Create Indexes.
    • The indexes that start with phantom_ come from the Postgres database. You can prepend an instance, for example, test_phantom_.
    • The OS and splunk app_soar indexes contain system logs.
    • The phantom_container indexes are for notables.
    • There are also separate indexes for apps, actions, and artifacts.

If you want to retrieve information from SOAR using a REST API, see the documentation here.

SOAR configuration pre-version 6.2

In earlier versions, the HTTP event collector is used to push SOAR data from Postgres to the Splunk platform. If you are still on an older version, in addition to configuring SOAR search, you will have to set up a universal forwarder on SOAR for monitoring:

  • SOAR daemon logs
  • Postgres logs
  • Nginx logs
  • Operating system logs

The configuration supports stand-alone and distributed Splunk instances.

Users with phantom (delete) privileges are required on the Splunk platform for SOAR index administration.

Configuration post-version 6.2

Starting in Splunk SOAR (on-premises) release 6.2.0, the embedded instance of Splunk Enterprise has been replaced with universal forwarders. These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment. You can also select the data types you want to send, instead of all types being sent by default

Additional resources

Now that you've learned how to set up the Splunk platform as a data source for Splunk SOAR, learn how to use it as: