Overview
SIRP SOAR Add-On for Splunk is the technical add-on (TA) developed by SIRP Labs. This add-on enables Splunk Enterprise users to push high-fidelity alerts and incidents from Splunk to SIRP SOAR, in real time.
Requirements
Splunk version 6.3 or later
This application should be installed on Search Head.
Recommended System Configuration
Standard Splunk configuration of Search Head.
Installation
There are three ways to install SIRP Add-on for Splunk:
Install from Splunk web UI.
Download the Add-on file from https://splunkbase.splunk.com/apps and install it from Splunk web UI.
Go to Manage Apps > Click Install the app from file > Locate and Upload the downloaded .spl file (Check the upgrade box).
Once the process is completed restart Splunk Service from Settings > Server Controls > Click "Restart Splunk" to finish the installation.
Download the Add-on file from https://splunkbase.splunk.com/apps and install it from Splunk console.
Download the file on your Splunk server and extract the .spl file into the $SPLUNK_HOME/etc/apps/ folder.
$tar zxvf splunk-addon-for-SIRP.tgz $SPLUNK_HOME/etc/apps/
Restart Splunk Service
$/opt/splunk/bin/splunk restart
New Custom Alert Action
Once installed, this add-on will add a new custom alert action named "Push Alerts to SIRP".
Custom Alert Action Configuration
Configuration of the action can be performed at the time of creating and saving a new search.
How to Use Custom Alert Action:
Click Search and Reporting from the top menu.
Create/write a new search query and press enter. Once satisfied with the results, save your search as an alert by clicking on the "Save As" button.
In the configuration of the new Alert, click "Add Actions" and choose "Push Alerts to SIRP" from the dropdown.
Configure the Incident details to define the field mapping between SIRP and Splunk:
SIRP's API Key
SIRP's instance URL
Subject/Title of the Alert
Priority
Severity
Payload β a comma-separated "key":"value" pairs of custom fields. e.g, {"Subject":$event.Title$, "Category":$event.Category$}
Artifacts β a comma- separated "key":"value" pairs of artifacts/IOCs e.g. {"Destination IP":$event.Message$,"Source IP": $event.Message$}
Note: $event.field-name$ is a format to define Splunk fields in the "value" against the SIRP fields which are defined as "key".
Once configured successfully, new alerts from Splunk will be pushed to and visible in SIRP's Incident Management module.