Configure Splunk SOAR apps in Splunk Enterprise Security

Apps expand the capabilities of Splunk Enterprise Security by connecting to third-party products and services. These third-party products and services provide actions you can use to run or automate playbooks. For example, you can use the get email action from the Microsoft 365 email app in your playbooks.

You can configure apps in the following places:

Notes about configuring apps in Splunk Enterprise Security when paired with Splunk SOAR:

  • All apps in SOAR are listed in Enterprise Security.

  • Not all available apps support data ingestion for use in Enterprise Security.

  • Splunk SOAR is the source of data used by the apps, regardless of where the data is used.

  • You can configure most apps in either SOAR or Enterprise Security, however, you must configure apps that ingest data in the location where the data will be used:

    • If an app will use SOAR data only within SOAR, configure that app in SOAR.

    • If an app will ingest SOAR data for use in Enterprise Security, configure that app in Enterprise Security.

CAUTION: Apps have full access to the operating system and there are no security restrictions on any app while it is running.
Note:

Within Splunk SOAR, the term asset is used in addition to the term app. An asset is a specific configuration, or instance, of an app. An asset is configured with the information required to communicate with the third-party product or service, such as IP address, automation service account, username, and password.

Configure apps in Splunk Enterprise Security

set up apps directly within Enterprise Security

To view and configure apps within Splunk Enterprise security, from the Configure menu, select Splunk SOAR, then Apps.

The Apps page displays installed apps in two tabs: Configured and Not configured. Each app includes a brief description, along with labels that show its attributes. Most labels describe the specific actions of the app, like lookup ip and get threat details. To filter by action category, like firewall, email, or reputation, use the Select filters menu when searching.

To find apps that can ingest data to use within Splunk Enterprise security, look for the Support ES Ingestion category and on es poll label. You can configure these apps completely within Enterprise Security, including ingestion settings, like how often you want the app to poll to ingest data.

Note:

You must use Enterprise Security to configure ingestion information for apps within Enterprise Security; you cannot configure that information within Splunk SOAR.

Apps configured in Enterprise Security must have the on es poll label to be able to poll for Enterprise Security data.

View and configure apps

To view and configure apps that are not yet configured, or to update apps that have already been configured, follow these steps:

From the Configure menu, select Splunk SOAR, then Apps. Select the Not configured tab to configure newer apps or the Configured tab to update configuration for previously configured apps.

  1. Locate the app you want to set up and select Configure.

    Note: A message displays, warning that the installation of this app is not yet complete. Following these steps will complete the app configuration.

  2. Enter a unique name for the app. Note that you cannot change the name after you save the app.

  3. Complete the app's required fields, indicated with asterisks (*). Required fields differ for each app. Read the documentation for the app in the side panel. This documentation is provided by the app developer, not necessarily by Splunk.

  4. (Optional) Complete additional fields for this app.

  5. (Optional) Complete some or all of the Advanced configuration settings. This section of the documentation contains essential, but abbreviated information. For complete details, refer to Configure advanced settings in Administer Splunk SOAR (Cloud) or Configure advanced settings in Administer Splunk SOAR (On-premises).

    Note: Some fields specific to configuration for Splunk SOAR ingestion do not appear when configuring an app in Splunk Enterprise Security. This is expected.
    Advanced setting field Description
    Concurrent action limit Controls how many actions this asset can run simultaneously. Increasing this limit can improve performance. If left blank, default value is 50.
    Enable just in time credentials

    Select one or more fields that will require a user to enter credentials before action is taken. This setting is often used by organizations with policies against providing credentials automatically.

    If you specify one or more settings in this field, you can no longer use ingestion (use Automation Broker) for this app.
    User for automated actions The account to use for automated actions, like testing connectivity. This user appears in log files. The automation user is often specified for this duty.

  6. Optionally enter environmental variables to apply variables for this app. Note that global environment variables take precedence over any configured in an asset. This section of the documentation contains essential, but abbreviated information. For complete details, refer to Set global environment variables in Administer Splunk SOAR (Cloud) or Set global environment variables in Administer Splunk SOAR (On-premises).

    Specify the relevant type of proxy for the name: HTTP_PROXY, HTTPS_PROXY, or NO_PROXY (case-sensitive) ,then provide a value. Select Secret to encrypt and hide the value.

  7. Select Save or select Next to continue with Ingest settings.

Ingest setting configuration

  1. For each app using Enterprise Security data, make a selection for each of the following required fields.
    Investigation type Options include phishing or ransomware. Investigation types specified in Configurations > Findings and investigations > Investigation types
    Security domain Options are access, endpoint, network, threat, identity, and audit. These options are defined by Enterprise Security and cannot be customized.
    Urgency Options are critical, high, medium, low, and informational. These options are defined by Enterprise Security and cannot be customized.

  2. Specify information to configure drill-down dashboards, where you can visualize the drill-down searches. For complete details, see Configure drill-down dashboards for a finding.

    Note: To configure or edit drill-down dashboards, you must have the capability to view the specific dashboard and edit detections. To view the drill-down dashboard from the Mission Control page, you must have viewing permissions for the specific dashboard.
    Field Description
    Dashboard Select an existing Splunk dashboard in your Enterprise Security deployment that you want to use for these findings.
    Name Specify a name you want to associate with these findings on the analyst queue. Supports tokens (see next row).
    Tokens Optionally add one or more tokens to use to filter these findings in the dashboard. For details on tokens, in addition to the link above this table, seeManage analyst workflows using the analyst queue in Splunk Enterprise Security

  3. Specify information to configure drill-down dashboards, where you can visualize the drill-down searches. For complete details, see Configure drill-down dashboards for a finding.

    Note: To configure or edit drill-down dashboards, you must have the capability to view the specific dashboard and edit detections. To view the drill-down dashboard from the Mission Control page, you must have viewing permissions for the specific dashboard.
    Field Description
    Dashboard Select an existing Splunk dashboard in your Enterprise Security deployment that you want to use for these findings.
    Name Specify a name you want to associate with these findings on the analyst queue. Supports tokens (see next row).
    Tokens Optionally add one or more tokens to use to filter these findings in the dashboard. For details on tokens, in addition to the link above this table, see Manage analyst workflows using the analyst queue in Splunk Enterprise Security. Tokens are case-sensitive.
  4. By default, the following options for threat analysis are selected. Clear the checkboxes if you do not want to perform these actions automatically.

  5. Select Save or select Next to continue with Custom Settings.

Custom Settings configuration

Different apps have different configuration requirements. Not all settings are required, or present, for each app.

  1. Automation Broker: Specify the automation broker to use to poll for ingesting data. For details on automation brokers, see About Splunk SOAR Automation Broker.

  2. Access control settings:

    • For security and by default, granular asset permissions are turned on, so only a specific list of users and roles can access apps and assets. To change this permission, select the link.

    • Select which actions you want the app to take. To take all actions, select the star (asterisk).

    • Specify which users and roles can access this app.

  3. Approval settings

    • Optionally specify users, roles, or both to function as primary and secondary approvers. Specify the number of primary and secondary approvers from the users and roles you selected.

  4. Select Save or select Next to continue with Additional Settings.

Additional Settings

Different apps have different configuration requirements. Not all settings are required, or present, for each app.

  1. Enter a description for this app.

  2. Select tags from Splunk SOAR so this app will be easier to find, flag objects, and use in playbooks. For details on SOAR tags, including roles required to view and edit tags, see the following documentation for your deployment type:

  3. Select Save to complete the configuration for this app.

    The app displays with all of the configurations you specified.

  4. If the app supports it, a Test Connectivity button appears. Select the button to check that the app works with the configuration you specified. Read the messages displayed to learn how to fix any connectivity issues with your app. Update the connectivity configuration, then test again.

Clone an app between SOAR and Enterprise Security

Save time by creating and editing a copy of an app used in SOAR, rather than starting from scratch

If you have an app that is configured to ingest data from, and use that data within, Splunk SOAR, you can clone that app to use that ingested data within Splunk Enterprise Security. Cloning an app saves time, because almost all of the configuration information is copied; you only need to configure the ingestion settings.

To clone an app, follow these steps:

  1. In Enterprise Security, from the Configure menu, select Splunk SOAR, then Apps.

  2. Select the Configured tab. Browse or search for an app you want to use to use ingested data within Splunk Enterprise Security.

  3. Select View to view the app's configuration, then select Ingest Settings.

  4. At the start of the Ingest Settings section, a note appears, letting you know that you can clone the asset. Select the Clone this asset link. A new settings screen appears where you can specify configuration settings.

  5. Provide a name to distinguish this new asset from the SOAR-focused asset.

  6. Provide Enterprise Security ingestion information.

  7. Optionally update other configuration settings that were cloned from the SOAR-focused asset.

  8. Select Save.

Add and configure apps and assets in Splunk SOAR

how to add and configure apps when you cannot do so in Splunk Enterprise Secuirty

For apps not yet configurable within Splunk Enterprise Security, you can add or configure them in Splunk SOAR. At the top of the Apps page, select Add apps in SOAR.

For details on creating and configuring apps and assets in Splunk SOAR, refer to the documentation in the next section, See also.

After you configure an app in Splunk SOAR, it appears in the list of apps you can configure in Splunk Enterprise Security. For details, see Configure Splunk SOAR apps in Splunk Enterprise Security.

Within Splunk SOAR, you cannot edit apps that were configured in Enterprise Security and have the on es poll label. You can delete these apps from within SOAR, in case there is an issue and you need to start over.

See also

For details on apps and assets in Splunk SOAR, see the following articles:

Splunk SOAR (Cloud):

Splunk SOAR (On-premises):

About Splunk SOAR Automation Broker