Splunk SOAR On-Prem Alarm Integration with Zero Trust Alarms
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate, and remediate threats programmatically. This integration enables organizations to leverage the full automation capabilities of Splunk SOAR On-Prem with Superna Zero Trust APIs.
Features
- An event is created with mapped artifacts on the first alert received.
- Subsequent updates to that event in Data Security Edition append notes to the notes field of the event by matching the alarm ID in DSE to the event created in Splunk SOAR.
Solution Overview
Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into security tools for SecOps action and playbook execution to protect corporate IT assets from vulnerabilities and insider or external attackers. The Splunk SOAR platform acts on container events and artifacts that provide incident details with all relevant data for playbooks and cross-domain automation.
What Is Splunk SOAR?
Splunk SOAR is a security orchestration, automation, and response solution that delivers data-driven security insights with comprehensive visibility for risk mitigation at scale.
Prerequisites
- Security Edition installed
- Splunk SOAR On-Prem installed
- Eyeglass OS appliance version 15.5 — verify with
cat /etc/os-release
Configuration in Splunk SOAR
Information Required
- Automation user token
- Endpoint URL of the REST data source application to receive webhook data
- Firewall ports allowing the Eyeglass VM to reach the Splunk SOAR endpoint over HTTPS port 443
Steps
- Log in to the Splunk SOAR application as an administrator.
- Under the Administration menu, locate User Management.
- Edit the automation user:
- Click show token and record the token.
- In the Allowed IPs field, enter the subnet or IP address of the Eyeglass VM. Enter a CIDR block or
anyto allow any IP to issue API calls.
Configure Data Security Edition Integration
High-Level Steps
- Create a Python location on the Eyeglass VM to run the application.
- Create the main Python application script.
- Create a Linux systemd service set to auto-start.
- Create a Zero Trust configuration in Defender.
- Update the main script with the Splunk SOAR Python code.
- Test the script running as a service.
- Create a test event in Defender to validate that alerts appear as indexed, parsed events in Splunk SOAR.
Configure the Service Start and Python Integration Files
Log in to the Eyeglass VM via SSH as the admin user:
ssh admin@<your-vm-ip>
Become root:
sudo -s
mkdir -p /opt/superna/cgi-bin
chown -R sca:users /opt/superna/cgi-bin
chmod -R u+rwX,g+rwX /opt/superna/cgi-bin
Switch to the SCA user:
sudo -u sca -s
cd /opt/superna/cgi-bin
Create a Python virtual environment for the integration:
python3 -m venv venv-splunksoar
source venv-splunksoar/bin/activate
Install required Python packages:
pip install flask boto3 requests logging
deactivate
Create integration script files:
touch splunksoar.py
touch splunksoar.sh
chmod +x splunksoar.py
chmod +x splunksoar.sh
Create the splunksoar.sh launch script:
nano /opt/superna/cgi-bin/splunksoar.sh
Paste the following content into the file:
#!/bin/bash
export PATH="/opt/.pyenv/bin:$PATH"
source /opt/superna/cgi-bin/venv-splunksoar/bin/activate
exec python /opt/superna/cgi-bin/splunksoar.py
Make the script executable:
chmod +x /opt/superna/cgi-bin/splunksoar.sh
Exit back to root:
exit
whoami # confirm you are root
Create the systemd service unit file:
nano /etc/systemd/system/splunksoar.service
Paste the following content into the file:
[Unit]
Description=Webhook listener for Zero Trust API translations and integrations
After=network.target
[Service]
Type=simple
User=sca
Group=users
WorkingDirectory=/opt/superna/cgi-bin
ExecStart=/bin/bash /opt/superna/cgi-bin/splunksoar.sh
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Reload systemd to register the new service:
systemctl daemon-reload
Enable the service to start on boot (do not start it yet):
systemctl enable splunksoar
Configure Python Packages and Customize the Splunk SOAR Integration Code
-
Download the Python template file (
splunksoaronpremise.py.template) (right-click, save as) and open it in a text editor. -
Replace only the placeholder values — the endpoint URL for HTTP ingestion of your Splunk SOAR instance and the API token. Do not delete any commas.
-
Locate the following section and update accordingly. Change the port if it differs from the default. To use HEC format, comment out the ECS endpoint, uncomment the Splunk HEC line, and set
hec_format = True:# === splunksoar Configuration ===
PHANTOM_SERVER = "https://y.y.y.y:8443"
PH_AUTH_TOKEN = "xxxxxxxx"
VERIFY_SSL = False
PHANTOM_LABEL = "events" -
Open the production file on the Eyeglass VM:
nano /opt/superna/cgi-bin/splunksoar.py -
Open the template file locally in Notepad, select all (Ctrl+A), and copy.
-
Paste the clipboard into the SSH terminal session with the open nano editor.
-
Save the file:
- Press Ctrl+X
- Answer Yes to save and exit
-
Start the service and verify it is running:
systemctl start splunksoar
systemctl status -l splunksoarVerify the service returns "active and running". If the service does not start, do not proceed — double-check the steps above.
Configure Data Security Edition Zero Trust Webhooks
-
Configure the Zero Trust endpoint in the Ransomware Defender Zero Trust tab.
Recommended ConfigurationSend only Critical and Major events, and only webhooks that set lockout or delayed lockout. The goal is to send findings rather than a list of alarms that do not pinpoint a security incident. Customers can customize based on specific requirements.
-
Configure the webhook with these values:
- Name:
Splunk SOAR - URL: Paste the REST Data Handler endpoint URL
- Header:
Content-Typewith valueapplication/json - Custom header:
ph-auth-tokenwith the automation token value
- Name:
-
Click Save on the webhook configuration, then click Save on the main configuration page.
How to Test the Integration with Splunk SOAR
-
Download the curl command template and open it in a text editor.
-
Locate the URL at the end of the curl command and replace it with your recorded endpoint:
"https://172.31.1.246/rest/handler/restdatasource_95e3bcff-bfca-454d-b59e-768da6280c38/supernazt" -
Save the file.
-
Paste the complete curl command into the SSH prompt to send sample data to the running Zero Trust application.
-
SSH to the Splunk SOAR appliance and tail the log to verify that API messages are reaching the endpoint:
tail -f /opt/<installdir>/var/log/phantom/app_interface.log
Once the curl command successfully creates a container event in the Splunk SOAR dashboard, you cannot run the script again without editing the ID value and incrementing the number. Containers are unique, identified by the ID in the incoming data. Duplicate IDs are automatically discarded.
Example Splunk SOAR Container and Artifact Events
Once configured and tested successfully, the integration creates containers with artifacts attached.
A Splunk SOAR container is a security event ingested from a third-party source. All containers are assigned labels, which enable Splunk to group related containers.
Artifacts are objects associated with a container and serve as corroboration or evidence related to the container. They represent critical data for SecOps to use when deciding on the appropriate response. Zero Trust payload data maps into custom artifacts on the container.