Add and configure apps and assets to provide actions in Splunk SOAR (Cloud)
Splunk SOAR (Cloud) apps expand the capabilities of your Splunk SOAR (Cloud) instance by allowing connections to third-party products and services. These third-party products and services provide actions you can run or automate in your Splunk SOAR (Cloud) playbooks. For example, the MaxMind app provides the geolocate ip action for your Splunk SOAR (Cloud) deployment.
You can upgrade existing apps or install new apps at any time without having to upgrade the entire Splunk SOAR (Cloud) platform.
An asset is a specific configuration, or instance, of an app. An asset is configured with the information required to communicate with the third-party product or service, such as IP address, automation service account, username, and password.
For example, Splunk SOAR (Cloud) ships with a VMware vSphere app enabling Splunk SOAR (Cloud) to get information from and take actions against a vSphere host. You can use Splunk SOAR (Cloud) to start and stop VMs, take snapshots, and download memory snapshots for analysis. In order for the app to be able to communicate with your vSphere servers, you must provide login credentials such as the hostname or IP address. You might have multiple vSphere servers, such as several individual ESXi hosts, or you might have them centralized onto one vCenter server. To tell Splunk SOAR (Cloud) about a given vSphere server, create a vSphere asset and provide the address and credentials needed for that server. You can then create another vSphere asset with a different address and credentials if needed. When taking actions, you specify which asset the action is for.
This table shows how multiple vSphere assets are configured from a vSphere app:
| Splunk SOAR (Cloud) app | Configure multiple assets from a single app | 
|---|---|
| VMware vSphere | vSphere 1 
 | 
| vSphere 2 
 | |
| vSphere 3 
 | 
View your Splunk SOAR (Cloud) assets
Splunk SOAR (Cloud) ships with one asset for the DNS, MaxMind, PhishTank, REST Data Source, and WHOIS apps already configured.
To view configured assets, perform the following tasks:
- From the Home menu, select Apps.
- Verify the Configure Apps tab is selected.
- In any app, click the arrow icon corresponding to configured assets to expand the section and view the assets. For example, if an app shows 3 configured assets, click on the arrow to view the configured assets. You can hover over the asset to edit or delete the asset.
Install, update, or delete apps on Splunk SOAR (Cloud)
Navigate to the Apps page to install, update, or delete Splunk SOAR (Cloud) apps.
Install a new Splunk SOAR (Cloud) app
Perform the following steps to install a new Splunk SOAR (Cloud) app:
- Obtain the new app or develop a new app. See Splunk SOAR (Cloud) apps overview in Develops Apps for Splunk SOAR (Cloud).
- From the Home menu, select Apps.
- Click Install App.
- Drag and drop a .tar or.rpm archive of the app into the file field, or click in the file field and navigate to the location of the app file on your system.
- Click Install.
You can install new apps from Splunkbase:
- From the Home menu, select Apps.
- Click New Apps.
- A list of available apps is displayed. - If you do not see the app you are looking for, you can search apps by typing search terms into the search bar at the top of the list of apps.
 
- Select the app you want to install then click Install. If you want to install all available apps click Install All. - If you are prompted for your credentials, use your Splunk.com login information.
 
After installing an app using either method, the new app is available on the Unconfigured Apps tab of the Apps page.
For compatibility needs, you can install multiple versions of the same app. However, only one version of the app can be active at a time. To install an incompatible app or version, see Install or update an incompatible app or version later in this section.
Install or update an incompatible app or version
You might choose to install an app that is not compatible with the version of Splunk SOAR (Cloud) you are running. To switch off automatic version checking when installing Splunk apps, community apps, and custom apps, contact Splunk Support or create a support case online. You must create a support case each time you want to switch automatic version checking on or off.
Update existing Splunk SOAR (Cloud) apps
To update an existing Splunk SOAR (Cloud) app, perform the following steps:
- From the Home menu, select Apps.
- Click App Updates.
- Select any apps with available updates.
- Click Update.
Delete a Splunk SOAR (Cloud) app
Perform the following steps to delete a Splunk SOAR (Cloud) app:
- From the Home menu, select Apps.
- Click the trash can () icon for the app you want to delete. 
- Click Delete to confirm you want to delete the app.
You can re-install any app that you deleted by downloading the app and installing the app again. Install a new Splunk SOAR (Cloud) app
View your Splunk SOAR (Cloud) assets
Splunk SOAR (Cloud) ships with one asset for the DNS, MaxMind, PhishTank, REST Data Source, and WHOIS apps already configured.
To view configured assets, perform the following tasks:
- From the Home menu, select Apps.
- Verify the Configure Apps tab is selected.
- In any app, click the arrow icon corresponding to configured assets to expand the section and view the assets. For example, if an app shows 3 configured assets, click on the arrow to view the configured assets. You can hover over the asset to edit or delete the asset.
Add, edit, or delete a Splunk SOAR (Cloud) asset
Manage the assets in your Splunk SOAR (Cloud) instance. You can add a new asset, and edit or delete existing assets.
Add a new Splunk SOAR (Cloud) asset
Perform the following steps to create a new Splunk SOAR (Cloud) asset:
- From the Home menu, select Apps.
- Click Configure New Asset for the desired app.
- In the Asset Name field, enter a name for the asset such as firewall. This name is the one you use when referring to the asset in scripts. Specify the name as a string without spaces or punctuation.
- (Optional) In the Asset Description field, enter a longer and more descriptive name for this asset, such as Perimeter Firewall for the engineering network.
- (Optional) Enter one or more tags for the asset. You can use the same tag for multiple assets to group them together, and then perform actions on all assets with matching tags. See Add tags to objects in Splunk SOAR (Cloud).
- Click Save.
The amount of configuration required for each asset is determined by the app. Some assets require additional configuration. For example, if you configure a QRadar asset, you must also configure settings on the Asset Settings and Ingest Settings tabs before you can save the configuration.
- Most assets require authentication information so that Splunk SOAR (Cloud) can connect to the desired server or service. You can configure authentication for an asset on the Asset Settings tab.
- Data ingestion settings, such as polling intervals and where to put the data once the data is ingested, are configured on the Ingest Settings tab. The destination for ingested data is called a container in Splunk SOAR (Cloud).
Edit a Splunk SOAR (Cloud) asset
Perform the following steps to edit a Splunk SOAR (Cloud) asset:
- From the Home menu, select Apps.
- Make sure the Configured Apps tab is selected.
- Click on the number of configured assets in the app to expand the section.
- In the table of configured assets, click the asset you want to edit.
- Click Edit, then make any desired changes. You can edit an asset's description, tags, settings, and approval settings. To change the asset name, you must delete the current asset and create a new asset with the desired name.
- Click Save.
Reassign an orphaned Splunk SOAR (Cloud) asset
You can now assign orphaned assets to an App from the user interface.
- From Home > Apps > Orphaned Assets select the orphaned asset.
- Click Assign App.
- In the dropdown menu, select the App, then click Assign.
Delete a Splunk SOAR (Cloud) asset
Perform the following steps to delete a Splunk SOAR (Cloud) asset.
- From the Home menu, select Apps.
- Make sure the Configured Apps tab is selected.
- Click on the number of configured assets in the app to expand the section.
- In the table of configured assets, click the asset you want to delete.
- Click Delete Asset.
- Click Confirm to confirm that you want to delete the asset.
Configure advanced asset settings
Configure advanced asset settings such as the concurrent action limit, just in time (JIT) credentials, automation users, asset environment variables, and proxies.
Set the concurrent action limit
You can run concurrent actions on an existing asset, or on a new asset by following these steps:
- From the Splunk SOAR (Cloud) Home menu, select Apps.
- Find the app you want to run an action on and click Configure New Asset. Or, to run concurrent actions on an existing asset, click on your desired preexisting asset.
- Click the Asset Setting tab > Advanced.
- In the Concurrent Action Limit box, enter the number of concurrent actions you want to run on your asset. You can run up to 50 actions at once. Use caution when changing this limit as it can significantly affect performance.
- Run the actions on an asset; evaluate performance.
For information on setting the global action concurrency limit, see Set the global action concurrency limit.
Disable action lock or action concurrency
Within an action entry, the optional lock key defines a set of parameters that you can set to run actions concurrently.
- A lock is represented by its name.
- Multiple actions locking on the same name will be serialized even if the actions are from different apps.
- In the absence of a lock dictionary, the platform runs the actions concurrently using the asset as the lock name.
To disable the lock for an action, the lock dictionary must be present and the "enabled" key set to false. When "enabled" is set to false, you can run as many concurrent actions as you like.
"lock": {
   "enabled": false,
   "data_path": "parameters.hash",
   "timeout": 600
}
| Parameter | Required? | Description | 
|---|---|---|
| enabled | Required | Boolean value that specifies if the lock is enabled or not for this action. | 
| data_path | Optional | The name of the lock. Only valid if lock is enabled. This value is either a datapath that points to a parameter of the action with parameters.hashwherehashis one of the parameters of the action, or a datapath that points to a configuration parameter for something likeconfiguration.server. At runtime, the platform will read the values stored in these data paths and use it as the name of the lock. You can also use a constant string, for example, any string that does not start withconfiguration.orparameters.The platform will use this value as is. In case thedata_pathis not specified, the asset will be used as the lock name. | 
| timeout | Optional | Specifies the number of seconds to wait to acquire the lock, before an error condition is reported. | 
If you have multiple actions with the lock enabled that are scheduled to run on an asset, you may want to exclude only some of them from running concurrently. To exclude a certain action from running concurrently, set concurrency to false in the app JSON. When both "enabled" and "concurrency" are set to true, you can run multiple actions concurrently up to the concurrent action limit. When "enabled" is set to true and "concurrency" is set to false, you can only run a single action.
"lock": {
   "enabled": true,
   "concurrency": false
}
| Parameter | Required? | Description | 
|---|---|---|
| enabled | Required | Boolean value that specifies if the lock is enabled or not for this action. | 
| concurrency | Optional | By default concurrency is set to trueto allow concurrent actions to run on an app. Set concurrency tofalseto opt out of concurrent actions running on an app. | 
Configure Just In Time Credentials for a Splunk SOAR (Cloud) asset
Some assets can be configured to use just in time (JIT) credentials, which require a Splunk SOAR (Cloud) user to type in credentials before any further action is taken. Use JIT credentials if your organization has policies against providing credentials in an automated manner, or if you are using one-time passwords.
To configure JIT credentials, perform the following steps:
- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- In the Enable Just in Time credentials for field, select the fields for which you want to enable JIT authentication. For example, select username and password to enable JIT for login credentials.
- Click Save.
Once enabled, JIT uses the asset's approval settings to determine the set of users that must supply the credentials to complete the action. See Configure approval settings for a Splunk SOAR (Cloud) asset.
To use JIT, you must have at least one approver set up for the asset. If you have selected multiple users that require a quorum to approve, then the last user (the one that would cast the final vote that causes the action to run) must be the one who supplies correct credentials. Earlier users can supply credentials, but the last user supplies the set that is actually used. Anything entered before that user is overwritten by the last user. Note that even if you have "Automatic self-approval" configured in Splunk SOAR (Cloud) for your own approval vote, you still receive a JIT prompt when credentials are required.
Configure automation users for a Splunk SOAR (Cloud) asset
Define the automation user to specify the service account Splunk SOAR (Cloud) uses to run the asset. The default account is the automation account provided by Splunk SOAR (Cloud).
Perform the following tasks to create a custom automation user in Splunk SOAR (Cloud):
- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click on Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
- In the Select a user on behalf of which automated actions can be executed (e.g. test connectivity, ingestion) field, select the desired automation user.
- Click Save.
Configure environment variables for a Splunk SOAR (Cloud) asset
Global environment variables precedence over any configured in an asset.
Perform the following tasks to set environment variables for a Splunk SOAR (Cloud) asset:- Navigate to the asset configuration page.
- Click the Asset Settings tab.
- Click on Advanced to expand the section.
- Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
- Click + Variable to add a new environment variable.
- Enter the name and value of the variable.
- (Optional) Click Secret to encrypt the value so that it is not displayed in the Splunk SOAR (Cloud) web interface.
- (Optional) Click + Variable to add more variables as needed.
- Click Save.
See Configure proxies for a Splunk SOAR (Cloud) asset for information on how to set environment variables so that the asset can use a proxy.
Configure proxies for a Splunk SOAR (Cloud) asset
Perform the following steps to configure the environment variables needed for the app to communicate with a proxy:
- Navigate to the asset configuration page.
- Select the Asset Settings tab.
- Select Advanced to expand the section.
- Select Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- Select + Variable to add a new environment variable.
- Configure the HTTP_PROXY, HTTPS_PROXY, or NO_PROXY variables depending on the type of proxy connection. - For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example: <Protocol>://<Hostname/IP>:<Port>
- For NO_PROXY configurations, include the IP address, hostname, or domain of the asset.
 
- For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example: 
- (Optional) Select Secret to encrypt the value so that it is not displayed in the Splunk SOAR (Cloud) web interface.
- Select Save.
The table shows an example of how to configure HTTP, HTTPS, and no proxy for a Splunk SOAR (Cloud) asset. For apps that use requests, configuring both HTTPS and HTTP environment variables directs all app traffic through the proxy server.
| Proxy Name | Proxy Value | 
|---|---|
| HTTP_PROXY | http://192.168.13.1:80 | 
| HTTPS_PROXY | https://192.168.13.100:8800 | 
| NO_PROXY | 127.0.0.1, localhost, localhost.localdomain | 
Configure webhooks settings for a Splunk SOAR (Cloud) asset
When an app (also called a connector) defines a webhook handler, the option to configure the webhook settings is available for assets of that app.
An administrator can toggle the webhooks service on or off from the Home menu, Administration, Administration Settings, Webhooks. If the webhooks service is toggled off, you cannot make changes to an individual asset's webhook settings.
To add or modify an asset's webhooks settings do the following:
- Navigate to the asset configuration page.
- Select the Webhook Settings tab.
- Select the Enable webhooks for this asset checkbox to allow webhooks. If the webhooks service is turned off, you will need to contact an administrator to turn it on before you can made changes.
-  Type IP addresses for which the asset should accept requests in the Allow requests from these IPs input box. If you want to allow any IP address, leave this field blank. CAUTION: Where possible, only allow webhooks actions from trusted IP addresses or address ranges.
- (Conditional) Select the Webhooks require SOAR authentication checkbox if the asset requires SOAR authentication to perform its actions.
- (Conditional) Type any headers the webhook must pass to SOAR in the Pass these headers to the webhook handler input box if header information must be passed to the webhook handler.
- Type the URL for the webhook in the URL for this webhook field.
- Select Save.
Configure ingest settings for a Splunk SOAR (Cloud) asset
Data ingestion settings are available for assets such as QRadar, Splunk, and IMAP. Perform the following steps to configure ingestion settings for a Splunk SOAR (Cloud) asset:
- Navigate to the Asset Configuration page.
- Click the Ingest Settings tab.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- In the Label to apply to objects from this source field, select a container label you want to apply to objects from this source. You can also type in a new label name.
- (Optional) Configure a polling interval for the asset to ingest data.
- Select Interval to configure the number of minutes between polls.
- Select Scheduled to view additional options and intervals.
 
- (Optional) Some assets have a Process Missed Jobs checkbox. Check this box if you want Splunk SOAR (Cloud) to process any missed jobs. Jobs can be missed in cases where Splunk SOAR (Cloud) is not running, or one poll didn't complete before the next one started.
- Click Save.
Configure approval settings for a Splunk SOAR (Cloud) asset
Assets created with no approvers run immediately. It is usually an acceptable company policy for an asset providing a whois lookup action. For assets such as firewalls, company policies usually restrict access to the ability to change firewall settings. Any actions performed on a firewall asset must go through the approval process.
Configure the approval settings for a Splunk SOAR (Cloud) asset to determine who must approve the actions taken against the asset. See Approve actions before they run in Splunk SOAR (Cloud) in the Use Splunk SOAR (Cloud) manual.
To configure approval settings for an asset, perform the following steps:
- Navigate to the asset configuration page.
- Click the Approval Settings tab.
- Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
- Select the users and roles you want to configure as primary approvers. Click the arrow keys to add or remove users and roles to the Primary Approvers field.
- Select the number of required primary approvers from the drop-down list in the Required primary approvers field.
- Select the users and roles you want to configure as secondary approvers. Click the arrow keys to add or remove users and roles to the Secondary Approvers field.
- Select the number of required secondary approvers from the drop-down list in the Required secondary approvers field.
- Click Save.
Configure Executive approvers for a Splunk SOAR (Cloud) asset
When all SLA escalations expire without being acted on Executive approvers receive an SLA breach notification. To configure Executive approvers, follow these steps:
- From the main menu select Administration then Response.
- On the Response page uncheck Automatic self-approval.
- Search for and select one or more Executive approvers from the list.
- Select Save Changes.