Configure forwarders to send SOAR data to your Splunk deployment

Use universal forwarders to forward your Splunk SOAR data into your Splunk deployment.

You might choose to use universal forwarder for data retention purposes. For details, see Data retention and forwarders, later in this chapter.

Configure data forwarding

Before you can forward data from your Splunk SOAR (Cloud) deployment to a Splunk Cloud Platform or Splunk Enterprise deployment, you must configure Splunk SOAR (Cloud) for forwarding.

This section applies if you are forwarding data from Splunk SOAR (Cloud) to either an external instance of Splunk Enterprise or Splunk Cloud Platform.

Note: If your Splunk Cloud Platform deployment is in a restricted access category such as HIPPA, DCI/PCS, or FedRAMP Moderate, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package. For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. In Splunk SOAR (Cloud), upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
    2. Select the +Install Credentials Package button.
    3. Drag and drop, or select the link to navigate to your credentials package.
    4. Set a name for your forwarder group.
    5. Select the data types you want forwarded to your Splunk Cloud Platform or Splunk Enterprise deployment.
    6. Select the Save button.

Note:

Create indexes to receive your forwarded data in your target instance. Complete the steps in Create indexes to receive your data.

Refer to Data types and corresponding indexes later in this chapter for a list of corresponding SOAR data types and Splunk indexes.

Make sure that logging levels are set for the appropriate logs in order to forward useful information. For more information about configuring logs and logging levels see Configure the logging levels for the Splunk SOAR (Cloud) action daemon.

Update a Universal Forwarder Credentials Package

You may need to update the credentials package associated with your forwarder group. For example, the certificates in the package may need to be refreshed due to an approaching expiration date.

First, obtain an updated Universal Forwarder Credentials Package.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
  2. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
  3. Select Download Universal Forwarder Credentials.
Note: You can only use a Universal Forwarder Credentials Package that matches the existing stack for your forwarder group.

After you have obtained an updated Universal Forwarder Credentials Package, apply it to your forwarder group.

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Locate the forwarder group whose credential package you want to update.
  3. Select the edit icon at the right-hand edge of the table entry for the forwarder group.
  4. Select the Update Credentials Package button.
  5. Drag and drop, or select the large box to select and upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
  6. Select Save.

Configure forwarding to a Splunk Enterprise deployment

If your organization forwards Splunk SOAR (Cloud) data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Select +New Group.
  3. In the Add a new forwarder group dialog do the following:
    1. In the Name field, type a name for your forwarder group (do not use the name splunk). This name is displayed on the Forwarder Settings page.
    2. (Conditional) If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field.
    3. In the Indexers field, add the address for your indexer. Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
    4. Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
  4. Make sure the Enabled slider button is in the on position.
  5. Select Save.

After you complete these steps, data will begin to stream from Splunk SOAR (Cloud) to your Splunk Enterprise deployment.

Configure transport layer security between your Splunk SOAR (Cloud) universal forwarder and the receiving indexer

You can use transport layer security (TLS) certificates to secure connections between Splunk SOAR (Cloud)'s forwarders and the receiving indexers.

To add a TLS certificate, you will need a valid TLS certificate in your certificate bundle.

To use a certificate bundle it must include;

  • the client certificate
  • the matching private key
  • the CA certificate that was used to sign the client certificate
  • (Conditional) If the private key in your certificate bundle is encrypted, you will need the client certificate password.

For more information on preparing your TLS certificates for use with the Splunk platform, see How to prepare TLS certificates for use with the Splunk platform in Securing Splunk Enterprise.

To add a TLS certificate for your Universal Forwarder, or to edit the TLS configuration, do the following steps:

  1. From the Home menu, select Administration, Administration Settings, Forwarder Settings.
  2. On the Forwarder Settings page, click the edit icon on the right-hand end of the forwarder group's entry.
  3. Click the Certificate configuration tab.
  4. Add your client certificate bundle either by dragging and dropping it onto the box provided, or by clicking the box and navigating to the bundle on your filesystem.
    1. (Conditional) If your Client certificate bundle includes an encrypted private key, type your client certificate password in the Client certificate password box.
  5. Add your TLS certificate by dragging and dropping the certificate onto the box provided, or by clicking the box and navigating to the certificate on your filesystem.
  6. (Optional) Select options as needed:
    1. Verify server certificate
    2. Verify server name
    3. Use client SSL compression
  7. (Optional) If you use common names or Subject Alt names for your servers, add them as comma-separated lists to the Allowed common names or Allowed Subject Alt names fields.
  8. Click Save.

Create indexes to receive your data

Create indexes in your Splunk instance to receive data you forward from Splunk SOAR

Before you begin forwarding your data, make sure that indexes exist in the target Splunk Enterprise or Splunk Cloud Platform instance. These indexes must be present to receive the Splunk SOAR data you are forwarding.

Refer to Data types and corresponding indexes later in this chapter for a list of corresponding SOAR data types and Splunk indexes.

If you use Splunk App for SOAR, you might have already configured the indexes. See Add required indexes to your Splunk server in the Install and Configure Splunk App for SOAR manual.

If target indexes do not already exist, create them following the instructions in the appropriate documentation for your deployment:

Reindexing

Reindexing sends all of your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which might result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

To reindex your Splunk SOAR (Cloud) data, perform the following steps:

  1. From the Home menu, select Administration, Administration Settings, Forwarder Settings.
  2. From the Forwarder Settings screen, select the Reindex tab.
  3. Use the dropdown menu to select the data type you want to reindex.
  4. (Optional) Set a start time from which to reindex data.
  5. (Optional) Set an end time, after which data should not be reindexed.
  6. Select Reindex.

Data types and corresponding indexes

This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.

Note: Before you begin forwarding, make sure that all of the target indexes exist in your Splunk instance. See Create indexes to receive your data, earlier in this chapter for details.
Splunk SOAR Data type Index in Splunk Enterprise/Splunk Cloud Platform
Action run phantom_action_run
App phantom_app
App run phantom_app_run
Artifact phantom_artifact
Asset phantom_asset
Audit log _audit
Container phantom_container
Container attachment phantom_container_attachment
Container comment phantom_container_comment
Custom function phantom_custom_function
Custom list phantom_decided_list
Note phantom_note
Playbook phantom_playbook
Playbook run phantom_playbook_run
SOAR logs splunk_app_soar
Splunk addon for Linux logs os
System insights phantom_system_insights

Configure forwarding a data type to a specific Splunk index

Perform the following steps to change or customize the target Splunk Cloud Platform or Splunk Enterprise index for a data type.
Note: Make sure the target index exists in your Splunk Cloud Platform or Splunk Enterprise deployment before you change the setting in Splunk SOAR (Cloud). See Create indexes to receive your data, earlier in this chapter for details.
  1. From the Home menu, select Administration. Select Administration Settings, then Forwarder Settings.
  2. From the Forwarder Settings page, select the Settings button.
  3. Enter the Splunk Cloud Platform or Splunk Enterprise index in the input box next to the data type you want to customize.
  4. When your customizations are complete, click the Submit button.

Data retention and forwarders

Use the universal forwarder to pass SOAR data to your Splunk instance to access it after it is no longer retained in SOAR

Following the Splunk SOAR data retention policy, your SOAR data is deleted after that amount of time. For details on the Splunk SOAR data retention policy, see Storage and Data Retention in the Splunk SOAR (Cloud) Service Description. .

To continue to access your SOAR automation history data, including audit log, artifact, playbook run, and action run data, you can choose to use universal forwarders to pass the data to your Splunk instance.

Forwarding data for data retention purposes is a specific use case for universal forwarders. Follow the procedures in the previous articles for setting up the forwarder and forwarding the data. This article describes procedures specific to this use case.

Specifics for setting up a forwarder

Set up your forwarders any time before your data is deleted, based on the data retention policy. At any point, you can reindex your data to send it to your Splunk deployment.

For any SOAR data you want to forward, check that the indexes exist in your target Splunk Enterprise or Splunk Cloud Platform instance. See the reference links in the Create indexes to receive your data section of this document.

Find your data in your Splunk deployment

To find your Splunk SOAR data, perform a search in your Splunk deployment. For full details on searching in Splunk, refer to The Search Manual for Splunk Cloud Platform or the Search Manual for Splunk Enterprise Security.

When performing your search for forwarded SOAR data, specify the following information

  • In the Search field, enter the index you want to search. For example, enter index="phantom_container" to see container information for your automation.

  • Using the date picker, choose the date range for the data that is no longer in your SOAR system. For example, choose a date range starting 1 year ago, to find the most recent data that is no longer present in SOAR.

If you choose, download or export the data. Your search is kept in the search history for easy access.

View deletion operations

The audit log in your Splunk SOAR instance contains a record of data deleted due to the data retention policy. For details, see Audit logs from Splunk SOAR instances using Splunk App for SOAR.

See also

For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.