Demisto Add-on for Splunk
Overview
Details
Full documentation is available at [our site](https://xsoar.pan.dev/docs/reference/articles/splunk-add-on) .
ABOUT THIS APP
Supporting Add-on for Cortex XSOAR. This application allows a user to create incident into XSOAR from Splunk using custom alert action.
Full documentation for the add-on is available on our site (https://xsoar.pan.dev/docs/reference/articles/splunk-add-on).
REQUIREMENTS
- Splunk version 6.3 >=
- This application should be installed on Search Head.
Recommended System configuration
- Standard Splunk configuration of Search Head.
Installation in Splunk Cloud
- Same as on-premise setup.
Installation of App
-
This app can be installed through UI using "Manage Apps" or from the command line using the following command:
$SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-Demisto.spl/ -
User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.
Application Setup
- The user must complete the setup of the application. In order to create incident into XSOAR, a user needs to enter "Launch app" action after installing the add-on and provide the following:
1) Create a XSOAR instance:
Under XSOAR Instances tab, press the "Add" button. Choose an instance name, and fill the XSOAR server URL (including port if needed) and the API key fields. The API key is used for authorization with XSOAR. In order to generate this parameter, a user should log in to Demisto and then click on Settings --> Integration --> API Keys.
2) Set up proxy settings (optional):
Under Proxy tab, check the "Enable" checkbox and fill all the proxy parameters needed.
3) Choose log level (optional):
By default, the logging level is "INFO". You may change the logging level to "DEBUG" in case needed.
4) Additional Settings (optional):- If you have an SSL certificate, please provide its full path under "Location to Certificate" field.
- By default, "Validate SSL" is enabled.
- You must restart Splunk in order to apply changes in the configuration settings.
Custom Alert Action
- This application will add custom alert action named XSOAR Custom Alert Action. The user can configure this action on saved search. The user can pass following parameters to XSOAR:
1) Name: Name of the alert.
2) Occurred Time: Time when alert was triggered
3) Type: Type in XSOAR.
4) Labels: Comma separated values to be put in the label field.
5) Severity: Severity of the alert
6) Details: Details field in the incident.
Troubleshooting
- Environment variable SPLUNK_HOME must be set.
- To troubleshoot Demisto add-on, check $SPLUNK_HOME/var/log/splunk/create_xsoar_incident_modalert.log file.
Release Notes
Version 4.1.2
Version 4.1.1
Breaking Changes
The new version of the app won't support verify False anymore for Cloud users due to Splunk decision regarding external requests.
The user must add a certificate in order for the add-on to work properly.
For Enterprise users, the default value of the ssl_verify configuration field will now be True.
Changes
- Added proxy settings.
- Removed Verify option from configuration.
Version 4.0.2
Fixed an issue where API key contains $ sign.
Version 4.0.1
The app is now supported in XSOAR v8.
Version 4.0.0
This version was created using Splunk add-on builder version 4.1.0, therefore it does not longer supports python2, as well as Splunk versions lower than 8.0
Changes made from v3.0.8:
- Additional parameter (timeout) was added, it controls the timeout of the incident creation request.
- More logging in case of error added.
Version 3.0.8
Fixed an issue where incidents could not be created successfully with SSL certificates.
Version 3.0.7
Fixed an issue where ad-hoc incidents from Splunk ES were not created successfully.
Version 3.0.6
Fixed an issue where incidents were not created successfully from notable events.
Version 3.0.5
- Fixed an issue where manual Adaptive Response Actions could not be created in Splunk ES.
- Fixed a python 2-3 compatibility issue.
- Added some debug logs and informative error messages.
Version 3.0.4
Added an option to input custom fields with values that contain commas/colons. The values in this case should be wrapped with apostrophes, quotation marks, backticks, parenthesis or curly brackets.
Version 3.0.3
- Updated add-on icons.
- Improved debug logs in create_xsoar_incident script.
- Added "name" field and additional search metadata fields to rawJSON to be used in classification & mapping.
Version 3.0.2
Support multiple certificates for multiple servers
Version 3.0.1
Stability enhancement for supporting splunk cloud compatibility.
Version 3.0.0
New version of Demisto add-on for Splunk, compatible with python 2 and 3.
The upgrade requires reconfiguration of the add-on.
Version 2.0.8
Regex improvements
Version 2.0.3
- Ability to send an alert to multiple Demisto servers. Please note that if you upgrade to this version you will need to re-define your alarms and select for each a specific Demisto server or to send the alert to all of the Demisto servers.
Version 2.0.0
- Supporting HTTPS proxy
- Better error messages
- Ability to send alerts with special characters in their path, such as “my / alert”
Version 1.0.7
-- App Certification Failure Fixed - Batch Stanza
-- Timezone changes while creating Incident