Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

set up SOAR to receive data and send an action to the endpoints

kareem
Explorer
‎05-27-2024 07:08 AM

How can SOAR be set up to receive data from Splunk ES, process it, send an action to the endpoints, and update the event status in Splunk ES?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

kareem
Explorer
‎06-02-2024 11:05 PM

thank you so much
do u have a way to speed up the Splunk SOAR capabilities to process the events, it can't process a 100 events every 5 minutes....
 I found a solution about the worker but, the file that solution talk about doesn't exists which is "umsgi.ini"

Tags (1)
0 Karma
Reply

kprior201
Path Finder
‎06-25-2024 05:23 AM

Sorry for the delay on this; no, I don't really have an answer to that one. You might open a support ticket for advice there. In my instances, I generally tried to minimize the amount of events it was being sent.

0 Karma
Reply

kprior201
Path Finder
‎05-28-2024 10:25 AM

This is a pretty big question. I would recommend you start here: https://docs.splunk.com/Documentation/SOARExport/4.3.2/UserGuide/Configureoverview for how to connect Splunk and Splunk SOAR. From there, you'll need to set up the mechanism for sending alerts to SOAR and a playbook within SOAR for processing them the way you need to. What action you want to do on the endpoint will determine how to set that playbook up. If this is leveraging Defender, for example, you can set up an action to call Defender to quarantine an endpoint or something like that. It will vary a lot depending on your exact use case.

0 Karma
Reply

kareem
Explorer
‎05-28-2024 12:19 PM

thank you for reply... I successfully make a connection between Splunk ES and Splunk SOAR... but I Can't make the connection between them automatically
Do you have a solation for that? 

Tags (1)
0 Karma
Reply

kprior201
Path Finder
‎05-30-2024 05:08 AM

Sure, you have a couple of options there. You can either add adaptive response actions to your Splunk ES correlation searches (if you're using those) or you can set up a saved search to export exactly the results you want to. When I last worked on this (it's been about a year), I found that the saved search method was more reliable. I used a search similar to the Incident Response view search ("Incident Review - Main" in SA-ThreatIntelligence) as my use case was to forward notable events to the SOAR platform.

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...