Configure auditing using Splunk App for SOAR

The auditing service in Splunk App for SOAR allows you to pull audit logs from any number of Splunk SOAR environments. To configure the auditing service, you must ensure Splunk App for SOAR connects a Splunk SOAR environment to your Splunk Cloud Platform or Enterprise environment:

  1. Connect Splunk App for SOAR to Splunk SOAR.
  2. Add an audit input. Select Manage > Edit Audit Input.
    1. Enter the Audit Input Name.
    2. Specify the Start Date and Start Time for the audit.
    3. Set the Interval, in seconds. Recommended interval time is 1800 seconds (30 minutes).
    4. Choose an Index from the dropdown menu.
    5. Select Save.
  3. Turn on the Audit Input Status toggle. If you turn off the toggle, auditing stops.

Note: To use auditing, you must ensure your Automation user has the Observer role in Splunk SOAR. For more information about how to manage roles in Splunk SOAR see Manage roles and permissions in Splunk SOAR in the Administer Splunk SOAR manual.