Sending events from the Splunk platform to SOAR

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You want to use the Splunk platform as a source of data for your Splunk SOAR deployment. The Splunk platform environment consists of raw events or Common Information Model (CIM) data, while Splunk SOAR uses the Common Event Format (CEF). You need to connect these platforms and make the data work across both.

Solution

The Splunk App for SOAR Export is installed as an app on the Splunk platform and forwards events to Splunk SOAR, creating containers and adding the event data as artifacts in the containers. The app also acts as a translation service between the Splunk platform and Splunk SOAR, mapping fields to CEF. After you have installed the app, you can use any of the following three methods to send information from the Splunk platform to Splunk SOAR.

Event forwarding of saved searches

Event forwarding uses saved searches to select event data to forward to Splunk SOAR.

The searches will be readable by all users on the Splunk App for SOAR Export or with global permissions.
Events with multivalue fields are converted to lists.
You can queue adaptive responses on local a Splunk heavy forwarder to forward to Splunk SOAR.
With this method, you can't use nonstandard severity, status, data types, or other parameters.
Splunk platform events can be sent on an interval or in real time.
The process for a data model export is similar to forwarding a saved search.

To learn how to use event forwarding with saved searches, see Create a saved search export to send data to Splunk Splunk SOAR (On-Premises), Splunk Phantom, or SOAR (Cloud) in the Splunk App for SOAR Export manual.

In the Splunk App for SOAR Export, select Event Forwarding, Add New, Saved Search Export. Note that
In the fields in Step 1, note the following:
- The container name should be the field with the event description.
- If you can't find your search in the Saved Search dropdown menu, make sure it has global permissions.
- In the Select Destination field, enter the target SOAR server configuration name.
- The Container Label defaults to "events". If you enter a custom label, it must already exist on the SOAR server.
- The time range is optional.
In the fields in Step 2, note the following:
- Use Groups with caution. They create multiple containers based on a field's values. Each discrete value generates one container, with all matching event fields contained in it. This feature can be difficult to manage, so only use it if you really need it.
- In the Search Fields dropdown menus, select from the fields in the saved search results.
- In the CEF Fields dropdown menus, select a matching CEF name or enter a new one.

After you save the new event forwarding, the configuration is accessible in the SOAR Export Event Forwarding page. From there, you can enable/disable it, delete it, or clone it.

Call sendtophantom in a search

With the |sendalert sendtophantom, you can send an alert directly from the search page in the Splunk platform. Note the following:

Splunk platform events with multivalue fields generate duplicate artifacts by default when forwarded to Splunk SOAR. You can configure advanced options to convert the fields to a lists instead.
You must do all field mapping in search, which means that this method supports custom values for severity, label, etc.
- If the source field exists, it becomes name of container.
- If the search_name field exists, it becomes name of artifacts.
The sendalert sendtophantom command is called once for the entire result set, so severity, sensitivity, and the label are same for all containers.
When the sendtophantom sendalert action in a scheduled search, the container name will be name of saved search.
Fields are added to CEF in artifact; if the field names do not match defined CEF field names, the context is not set.
It is not a good practice to call sendtophantom from a correlation search. The container on Splunk SOAR and the notable in Splunk Enterprise Security won't be linked.
This approach bypasses the field mapping built into the app and allows for more control, especially for custom fields like notable event IDs.

To learn to use this method, see sendalert in the Splunk Search Reference manual.

Adaptive response action for notable events

If you have Splunk Enterprise Security, you can send notable events to Splunk SOAR. The playbook you select runs on a new container.

With Splunk Enterprise Security adaptive response, Splunk platform events with multivalue fields generate duplicate artifacts by default when forwarded to Splunk SOAR. You can configure advanced options to convert the fields to a lists instead.
Splunk platform events can be sent on an interval or in real time.
The process for a data model export is similar to forwarding a saved search.
With this method, you are limited to one event at a time and the field mapping is inflexible. Global field mappings are applied.

To learn how to configure this option, see Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR in the Splunk App for SOAR Export manual.

If you experience errors:

Use ES Audit Adaptive Response Action Center to search for the sendtophantom action name.
Search the cim_modactions index for errors.

Next steps

If you want to practice these methods of sending data from the Splunk platform to Splunk SOAR and learn how to further customize them, Splunk Education offers a 13.5-hour, instructor-led course on advanced Splunk SOAR implementation. The hands-on labs in the course will teach you how to:

implement Splunk SOAR solutions
configure external Splunk searches
integrate Splunk SOAR into the Splunk platform
access the Splunk platform from Splunk SOAR
create custom code
use the Splunk SOAR REST API

Click here for the course catalog where you can read the details about this and other Splunk SOAR courses, as well as register.