Skip to main content
Version: 2.14.1

Splunk SOAR SaaS Integration with Zero Trust Alarms

Free integration setupWe’ll install and validate this for you.
Book a setup call

Support Statement

DISCLAIMER

This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.

Overview

Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate, and remediate threats programmatically. This integration enables organizations to leverage the full automation capabilities of Splunk SOAR with Superna Zero Trust APIs.

Solution Overview

Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into security tools to be acted on by SecOps teams. The Splunk SOAR platform acts on container events and artifacts that provide incident details with all relevant data for playbooks and cross-domain automation.

What Is Splunk SOAR?

Splunk SOAR is a security orchestration, automation, and response solution that delivers data-driven security insights with comprehensive visibility for risk mitigation at scale.

Solution Configuration in Splunk SOAR and Defender Zero Trust

Prerequisites

  • Installed Security Edition
  • Installed Splunk SOAR
  • Eyeglass OS appliance version 15.5 — verify with cat /etc/os-release

Configuration in Splunk SOAR

  1. Log in to Splunk SOAR as an administrator.
  2. Add the REST Data Source application using the New apps button.
  3. Click Configure New Asset and name the asset SupernaZT.
  4. Open the Asset Settings tab and record the POST Incoming Rest Data Source URL.
  5. Obtain the automation user authentication token:
    • Navigate to AdministrationUser Management.
    • Edit the automation user.
    • Click show token and record the token.
    • In the Allowed IPs field, enter the subnet or IP address of the Eyeglass VM. Enter a CIDR block or any to allow any IP to issue API calls.
  6. Download the Superna data handler code:
    • Open the Python file and add the Splunk SOAR IP address in the configuration section.
    • Save the file.
  7. Upload the custom Python REST handler to the REST Data Source application asset.
  8. Click Save.

Configure Defender Zero Trust Webhooks

  1. Configure the Zero Trust endpoint in the Ransomware Defender Zero Trust tab.

    Recommended Configuration

    Send only Critical and Major events, and only webhooks that set lockout or delayed lockout. The goal is to send findings rather than a list of alarms that do not pinpoint a security incident. Customers can customize based on specific requirements.

  2. Configure the webhook with these values:

    • Name: Splunk SOAR
    • URL: Paste the REST Data Handler endpoint URL recorded above
    • Header: Content-Type with value application/json
    • Custom header: ph-auth-token with the automation token value

  3. Click Save on the webhook configuration.

  4. Click Save on the main Webhook configuration page.

How to Test the Integration with Splunk SOAR

  1. Download the curl command template and open it with a text editor.

  2. Locate the URL at the end of the curl command and replace it with your recorded endpoint:

    "https://172.31.1.246/rest/handler/restdatasource_95e3bcff-bfca-454d-b59e-768da6280c38/supernazt"

  3. Save the file.

  4. Paste the complete curl command into the SSH prompt to send sample data to the running Zero Trust application.

  5. SSH to the Splunk SOAR appliance and tail the log to verify API messages are reaching the endpoint:

    tail -f /opt/<installdir>/var/log/phantom/app_interface.log
warning

Once the curl command successfully creates a container event in the Splunk SOAR dashboard, you cannot run the script again without editing the ID value and incrementing the number. Containers are unique, identified by the ID in the incoming data. Duplicate IDs are automatically discarded.

Example Splunk SOAR Container and Artifact Events

Once configured and tested successfully, the integration creates containers with artifacts attached.

A Splunk SOAR container is a security event ingested from a third-party source. All containers are assigned labels, which enable Splunk to group related containers.

Artifacts are objects associated with a container and serve as corroboration or evidence related to the container. They represent critical data for SecOps to use when deciding on the appropriate response. Zero Trust payload data maps into custom artifacts on the container.