Skip to main content
Version: 2.12.1

Splunk SOAR

Free integration setupWe’ll install and validate this for you.
Book a setup call

Overview

Superna Security Edition + Splunk SOAR (formerly Phantom) enables automated security orchestration and response for storage-layer detections.
When a ransomware, mass-delete, or insider-access event occurs, Superna sends a webhook that Splunk SOAR converts into containers and artifacts, triggering playbooks that snapshot data, block accounts, or initiate restores—all without analyst intervention.

Free white-glove setup

We’ll install and validate this integration at no charge so you can see value fast.
Next step: use Book a setup call at the top of this page.

What You Get

  • Native Splunk SOAR ingestion using the built-in REST Data Source app.
  • Automated playbooks for Snapshot, User Block, and Restore actions through the Zero Trust API.
  • Secure authentication with the automation-user API token and IP whitelist.
  • Immediate or approval-based execution with full audit trail in Splunk SOAR.
  • Free installation while Superna develops a no-code connector for the Splunk Marketplace.
Splunk SOAR Superna Integration Overview Splunk SOAR Superna Integration Overview with detail Splunk SOAR Superna Integration Overview with more detail

How It Works

  1. Detect → Send Superna Zero Trust triggers a webhook containing event metadata (severity, user, affected files, etc.).
  2. Receive → Parse Splunk SOAR’s REST Data Source app receives the POST payload on port 443 and calls the custom Python handler.
  3. Create → Populate The handler maps payload fields into a container and artifacts (e.g., IP, user, file path, severity).
  4. Trigger → Run Playbook Configured playbooks launch automatically or on demand (snapshot, block, restore).
  5. Verify → Audit Results and logs appear in Splunk SOAR’s dashboard; duplicate events are automatically filtered.

Architecture / Flow

Components

  • Superna Security Edition – Emits Zero Trust webhooks for critical events.
  • Zero Trust Webhook Service – Local listener on Eyeglass VM posting events to Splunk SOAR’s REST Data Source.
  • Splunk SOAR – Creates containers + artifacts and executes automation playbooks.
  • Playbooks – Implement Snapshot, User Block, and User Restore actions using Superna Zero Trust API.
  • Automation User Token – Authenticates inbound requests; IP allow-list ensures secure communication.

FAQs

Do I need to install a connector?

No connector installation is required—the integration uses Splunk SOAR’s built-in REST Data Source app with a custom Python handler.

Can I test the integration safely?

Yes—use the provided curl template from Superna documentation to post sample payloads; monitor app_interface.log to confirm ingestion.

Why do duplicate events not appear?

Splunk SOAR deduplicates containers by ID; reuse of identical IDs in test data will result in suppression.