About the Splunk App for SOAR Export

Splunk SOAR can use the Splunk platform as a source of data by ingesting events. The Splunk App for SOAR Export, formerly known as Phantom App for Splunk, is required to configure Splunk Enterprise or Splunk Cloud Platform as a data source for getting data into Splunk SOAR.

What does the Splunk App for SOAR Export do?

The following image shows an example of how a standalone Splunk SOAR instance is integrated with a Splunk platform environment.

This diagram shows how the Splunk App for SOAR Export translates CIM data from the Splunk platform to CEF data for Splunk SOAR. Splunk Cloud Platform and Splunk Enterprise are shown on the left. Arrows from both Splunk Cloud Platform and Splunk Enterprise point to a box labeled Splunk Alerts, which contains Saved Search, Data Model, and Splunk ES Notable. The Splunk App for SOAR Export perform mapping to CEF fields for Saved Search and Data Model, and CIM to CEF translation for Splunk ES Notables. Finally, CEF events are sent from the Splunk platform to Splunk SOAR.

The Splunk App for SOAR Export is installed as an app on the Splunk platform and forwards events to Splunk SOAR. The Splunk platform environment consists of raw events or Common Information Model (CIM) data, while Splunk SOAR uses the Common Event Format (CEF). The Splunk App for SOAR Export acts as a translation service between the Splunk platform and Splunk SOAR by performing the following tasks:

  • Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF fields.
  • Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.
  • Forwarding events in CEF format to Splunk SOAR, which are stored as artifacts.