Splunk App for SOAR Export
Overview
Details
Also included with this app is an integration with Splunk Enterprise Security, allowing you to send ES data to SOAR.
Splunk SOAR is a Security Automation and Orchestrated Response (SOAR) platform that integrates with your existing security tools in order to provide a layer of “connective tissue” between them. Splunk SOAR streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of products that you use every day.
Splunk SOAR doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger.
(Formerly known as Phantom App for Splunk)
To learn more about installation, configuration, and using the Splunk App for SOAR Export read the documentation:
https://docs.splunk.com/Documentation/SOARExport
Additional technical documentation also available on Splunk Docs:
https://docs.splunk.com/Documentation/SOARonprem
If you do not yet have a phantom community account, signup at:
https://my.phantom.us/signup/
Release Notes
Version 4.1.117
==========================
Version 4.1.117 Release Notes
==========================
- Name of the app has been changed to Splunk App for SOAR Export
- Bug fix: The app UI was not loading if the root_endpoint of Splunk was changed
- Bug fix: Upgrading from beta version 0.0.19 to release version 4.1.73 gave an error message related to earliest_time and latest_time parameters
- Bug fix: Event forwarding configurations were not being updated to either enabled or disabled
- The app now removes items from the KV Store if the item has an invalid label in Splunk SOAR
- Bug fix: Misleading error message was given when syncing workbooks
- Bug fix: Some artifacts were not sent to the correct containers during event retries
- Updated the event parsing regular expression in event forwarding to properly accommodate multiline values
- Set the default python.version to python3
- Optimized the searches performed in event forwarding for better performance
Version 4.1.73
=========================
Version 4.1.73 Release Notes
=========================
- Event forwarding configurations have been converted to save as search alerts instead of reports
- Performance improvement for container and artifact creation in Splunk Phantom and Splunk SOAR
- Custom advanced time parameters “Earliest Time” and “Latest Time” added to saved search event forwarding configuration
- Performance improvements for workbooks tab
- Added bulk workbook management
- Added app.manifest to app folder
- Alert actions and adaptive response actions now use cim_modactions index instead of phantom_modalert index
- Upgraded urllib3 to version 1.26.6 and requests library to 2.25.1
Version 4.1.3
============================
Version 4.1.3 Release notes
============================
- This release of the Splunk Phantom App for Splunk connects both Splunk Phantom and Splunk SOAR to your Splunk platform
- Bug fix where Event Forwarding Save and Preview hangs with 0 results
- Splunk Enterprise Security is no longer needed unless performing adaptive response actions or AR Relay
- Splunk events not created in Splunk SOAR and Splunk Phantom are stored in KV Store and attempt to re-send every 60 seconds until successful
- Synchronize workbooks across multiple Splunk SOAR and Splunk Phantom instances
- Alert Action Configurations tab moved to Configurations tab and no longer uses jQuery
- Limit read access to users with phantom role
Version 3.0.5
Version 3.0.5 Release notes:
- Bug fix auto mapping cannot be turned off
- Bug fix adaptive response action creating duplicate artifacts
- Global mapping page to save custom mappings, which can be automatically applied to forwarding configurations
- Updated UI for Event Forwarding page
Version 2.5.2
This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.
Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/
===========================
Version 2.5.2 Release notes
===========================
- Support for Splunk 7.1
- Updated copyright information
- Performance improvement on Export configuration with a large number of field mappings
- Bug fix on search field resetting when saved search or data model export is changed
- Bug fix on Export configuration losing updates when the mouse is clicked on outside the configuration window
- Bug fix on selection of invalid value for Scheduled time units
- Bug fix on destinationTranslatedAddress and bytesIn field mappings
- Bug fix on container label when upgrading from 2.2.x version
Version 2.4.18
All user documentation can be found in the Phantom platform in Documentation, Administration Manual, Data Sources, Splunk.
You may also visit https://my.phantom.us/docs/admin/splunk with your Phantom account.
Contact support@phantom.us for any support or installation issues. The only system requirement is a functional installation of the Phantom platform.
This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.
Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/
==================
Installation Notes
==================
===========================
Version 2.4.18 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.17
===========================
Version 2.4.17 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.16
Important notes for the previous versions are included in the README.txt in the package.
===========================
Version 2.4.16 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.15
Version 2.3.12
Important notes for this version are included in the README.txt in the package.
Highlights of this release:
Remove SSL Verification checkbox, add the ability to enable/disable SSL Verification via REST (see README.txt in the package). Note this is prohibited on Splunk Cloud.
Make dropdown fields in the configuration easier to use by sorting and filtering.
Add "save" next to "save and preview"
Include URL to Splunk Results - "_originating_search" now appears in the artifact CEF for adaptive response actions.
Add clone button for event forwarding configuration
Added free-form entry of destination labels
Added the ability to execute a playbook from Alert Actions
Resolve a javascript security issue noted by Splunk security review.
* Resolve error messages in logs, improved error handling
Version 2.2.17
- Update for Splunk Cloud certification
- Force SSL Verify always enabled, Customer can not choose to disable SSL Verification
- No other functional changes since 2.2.9