Pair Splunk SOAR (On-premises) with Splunk Enterprise Security
Pair your Splunk SOAR (On-premises) instance with your Splunk Enterprise Security instance to add the automation capabilities of Splunk SOAR (On-premises) to the security analytics of Splunk Enterprise Security. For complete compatibility information, see the Splunk SOAR Compatibility matrix in the Splunk Enterprise Security documentation.
Coordinate with your Splunk Enterprise Security administrator and Splunk administrator to perform the pairing. They will be following instructions in Pair Splunk Enterprise Security with Splunk SOAR in the Administer Splunk Enterprise Security documentation.
Provide the administrators with the following Splunk SOAR (On-premises) information:
- IP address, including CIDR, for the Splunk Cloud Platform IP allow list
- Base URL, including the port number if you are not using port 433, the default HTTPS port (For example, https://soar.example.com:1234/). Make sure that the port you specify is open.
- Login credentials (username and password)
The Splunk Enterprise Security admin might contact you about an error in the pairing process. Possible issues include:
- The Splunk SOAR (On-premises) version is not compatible with the version of Splunk Enterprise Security. You might need to upgrade your Splunk SOAR (On-premises) deployment.
- The credentials entered for pairing were not correct. You might need to verify the Splunk SOAR (On-premises) credentials.
- Your Splunk SOAR SSL certificate is invalid. You might need to update the certificate. See Updating the SSL certificates for details.
Unpairing from Enterprise Security
Unpairing is initiated from within Enterprise Security. In the unlikely event that unpairing is not successful, your Enterprise Security admin might ask you, the Splunk SOAR admin, to facilitate unpairing the two instances.
To manually complete pairing from the Splunk SOAR (On-premises) instance, run the following curl command:
curl -u '<admin-user>:<admin-password>' -d '{"delete_all_splunk_users": false,"delete_non_converted_splunk_users":false}' https://<soar-host>/rest/enterprise_security/unpairing
Notify your Splunk Enterprise Security admin when unpairing is successful.
See also
- For details on the pairing process, see Pair Splunk Enterprise Security with Splunk SOAR in the Administer Splunk Enterprise Security documentation.
- For information on troubleshooting pairing in Enterprise Security, see Troubleshoot pairing Splunk Enterprise Security with Splunk SOAR in the Troubleshoot Splunk Enterprise Security documentation.
- For details on configuring authentication settings in Splunk SOAR and managing Splunk SOAR user accounts and roles while pairing , see Configure single sign-on authentication for Splunk SOAR (On-premises).