Administer Splunk SOAR (Cloud)
Splunk SOAR (Cloud) is a cloud-based Security Orchestration, Automation, and Response (SOAR) system that is delivered as a SaaS (software-as-a-service) solution hosted and managed by Splunk.
The Splunk SOAR (Cloud) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
This manual is intended to be used by the person or team administering the Splunk SOAR (Cloud) system.
The following topics are discussed in this manual:
| Feature | Description | 
|---|---|
| Company Settings | Information about your company, contacts, and your Splunk SOAR (Cloud) license. | 
| Administration Settings | All the settings to configure the behavior and appearance of Splunk SOAR (Cloud). | 
| Product Settings | Settings for the Splunk SOAR (Cloud) product that apply to your deployment, such as clickable URLs, aggregation, and workbooks. | 
| Event Settings | Settings to configure the organization, handling, and presentation. | 
| User Management | Settings related to user accounts, permissions, and authentication. | 
| View how much data is ingested in Splunk SOAR (Cloud) using ingestion summary | Information and reports for monitoring the activity of your Splunk SOAR (Cloud) deployment. | 
| Apps and Assets | How to add and configure apps and assets to provide actions in Splunk SOAR (Cloud). | 
| Telemetry | Information about sharing data from Splunk SOAR (Cloud). | 
Splunk Technical Support
Splunk Standard Support is included in every Splunk SOAR (Cloud) subscription. For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status. An authorized contact can file a case by logging in to splunk.com, then navigating to the Support Portal.
Splunk Support portal
Designated Splunk SOAR (Cloud) users can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their Splunk SOAR (Cloud) environment undergoes maintenance or experiences an event that affects performance.
To manage operational contacts:
- Go to My Operational Contacts in the Support portal.
- Follow the instructions on the page to add, edit, and remove operational contacts for your Splunk SOAR (Cloud) environment.
To file a case on the Support portal:
- From the Splunk installation is? dropdown, select the state of your deployment.
- In Subject, summarize your issue. Splunk Support sees the first 250 characters in this field.
- In What Product are you having trouble with? select Splunk SOAR (Cloud).
- In What OS are you using? select Linux.
- Leave What OS Version are you using? blank.
- In I need help with... select a category that applies to your issue.
- In What is the impact... explain briefly how this issue disrupts your work.
- In the Problem Description, be thorough. For issues (as opposed to enhancement requests), include the exact time of the issue and its duration, the type of Splunk instance experiencing the issue (for example, forwarder, search head, or indexers), and any relevant screen shots.
- Include Steps to reproduce if you've found a specific scenario that triggers the issue.
- Click Submit. The portal directs you to a screen with a case number and sends you an email containing the case number.
Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the support portal.
Splunk community
The Splunk user community is a great resource. Check out Splunk Answers, where you can ask and answer questions about the product. There are also a number of other ways to get involved in the Splunk community, such as user groups or the Splunk Trust. For more information about getting involved with the Splunk community, see the Community portal.
See also
- Use playbooks to automate analyst workflows in Splunk SOAR (Cloud) in the Build Playbooks with the Playbook Editor manual.
- About Splunk Automation Broker in the Set Up and manage the Splunk SOAR Automation Broker manual.