Skip to main content
All CollectionsAdd on Apps
SIRP SOAR Add-On for Splunk
SIRP SOAR Add-On for Splunk
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a year ago

Overview

SIRP SOAR Add-On for Splunk is the technical add-on (TA) developed by SIRP Labs. This add-on enables Splunk Enterprise users to push high-fidelity alerts and incidents from Splunk to SIRP SOAR, in real time.

Requirements

  • Splunk version 6.3 or later

  • This application should be installed on Search Head.

Recommended System Configuration

  • Standard Splunk configuration of Search Head.

Installation

There are three ways to install SIRP Add-on for Splunk:

  1. Install from Splunk web UI.

    • Go to Manage Apps > Browse more apps > Search "SIRP".

    • Locate the SIRP app then Click the "install" button to initiate the installation.

    • Once the process is completed, restart Splunk Service from Settings > Server Controls > Click "Restart Splunk" to finish the installation.

  2. Download the Add-on file from https://splunkbase.splunk.com/apps and install it from Splunk web UI.

    • Go to Manage Apps > Click Install the app from file > Locate and Upload the downloaded .spl file (Check the upgrade box).

    • Once the process is completed restart Splunk Service from Settings > Server Controls > Click "Restart Splunk" to finish the installation.

  3. Download the Add-on file from https://splunkbase.splunk.com/apps and install it from Splunk console.

    1. Download the file on your Splunk server and extract the .spl file into the $SPLUNK_HOME/etc/apps/ folder.

      $tar zxvf splunk-addon-for-SIRP.tgz $SPLUNK_HOME/etc/apps/

    2. Restart Splunk Service

      $/opt/splunk/bin/splunk restart

New Custom Alert Action

Once installed, this add-on will add a new custom alert action named "Push Alerts to SIRP".

Custom Alert Action Configuration

Configuration of the action can be performed at the time of creating and saving a new search.

How to Use Custom Alert Action:

  • Click Search and Reporting from the top menu.

  • Create/write a new search query and press enter. Once satisfied with the results, save your search as an alert by clicking on the "Save As" button.

  • In the configuration of the new Alert, click "Add Actions" and choose "Push Alerts to SIRP" from the dropdown.

Configure the Incident details to define the field mapping between SIRP and Splunk:

  • SIRP's API Key

  • SIRP's instance URL

  • Subject/Title of the Alert

  • Priority

  • Severity

  • Payload – a comma-separated "key":"value" pairs of custom fields. e.g, {"Subject":$event.Title$, "Category":$event.Category$}

  • Artifacts – a comma- separated "key":"value" pairs of artifacts/IOCs e.g. {"Destination IP":$event.Message$,"Source IP": $event.Message$}

Note: $event.field-name$ is a format to define Splunk fields in the "value" against the SIRP fields which are defined as "key".

Once configured successfully, new alerts from Splunk will be pushed to and visible in SIRP's Incident Management module.

Did this answer your question?