Splunk SOAR apps overview

Splunk SOAR apps provide a mechanism to extend Splunk SOAR (Cloud) by adding connectivity to third-party security technologies in order to run actions. Given the broad set of technologies that can be orchestrated during a cyber response exercise, apps provide some relief in allowing users and partners to add their own custom functionality.

Splunk SOAR apps are developed by engineers knowledgeable in Python and modern web technologies.

There are two methods to develop your own apps for Splunk SOAR

Both methods are described in this manual.

Splunk SOAR app architecture

This architecture pertains to all Splunk SOAR apps, regardless of whether they were created with the Splunk SOAR SDK or with the Splunk SOAR App Wizard.

Splunk SOAR apps are written in Python to create a bridge between Splunk SOAR (Cloud) and other security device/applications. Think of them as having two strict edges:

  • One of the edges is given an action to be carried out on behalf of Splunk SOAR (Cloud).
  • An app on the opposite edge converts the action into specific commands to communicate with its device or service.

The result of these actions are read by the app and passed back to Splunk SOAR (Cloud). This simple design helps facilitate automated actions that are carried out by Splunk SOAR (Cloud) on behalf of the user.

This screen image shows three boxes. These boxes are Splunk SOAR, App, and Device/Service. The action arrows connect Splunk SOAR to App, and App to Device/Service. The result arrows connect Device/Service to App, and App to Splunk SOAR.

The first edge is implemented by a rich set of Python APIs that the platform exposes to the app developer through a base class.

Apps distributed by Splunk SOAR or third parties are transmitted as .gzip archives that you can import into Splunk SOAR.