Splunk SOAR can use an external Splunk Cloud Platform or Enterprise instance as the main search engine to search for Splunk SOAR data. To do that, install Splunk App for SOAR (previously known as Splunk Phantom Remote Search) on your Splunk instance to connect your Splunk instance to your Splunk SOAR instance.

After you have configured the remote-search feature on your Splunk SOAR instance, you can use Splunk searches on your Splunk SOAR data. Refer to the Search reference manual for more information about search functionality, SPL syntax, and more.