Splunk is a SIEM software that allows searching, monitoring and analyzing machine-generated big data, using a web-style interface. For more information, see the Splunk website.
This document provides information about the Splunk connector, which facilitates automated interactions, with a Splunk server using FortiSOAR™ playbooks. Add the Splunk connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details and events for a Splunk alert, and running a search query on the Splunk server.
You can also automatically forward events and alerts from Splunk to FortiSOAR™ using the Fortinet FortiSOAR Add-on. For more information, see the Fortinet FortiSOAR Add-on section.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk. For more information, see the Data Ingestion Support section.
Connector Version: 1.6.1
FortiSOAR™ Version Tested on: 6.4.4-3164
Splunk Version Tested on: Splunk Enterprise 7.3.8, 8.0.7
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Splunk Connector in version 1.6.1:
Users need to consider the following key points for the Splunk upgrade:
_bkt key as this key is now not present, by default, in Splunk events. Users need to update the following playbook steps in version 1.6.0 of the connector (Refer to the latest Sample - Splunk - 1.6.1 collection for the playbook update): '_time' in vars.sourcedata and '_raw' in vars.sourcedata and '_bkt' in vars.sourcedata
'urgency' not in vars.sourcedata and 'owner' not in vars.sourcedata and 'event_id' in vars.sourcedata and 'notable' in vars.sourcedata.event_id 
Source ID Contains {{vars.input.params['api_body']['event_id']}}
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-splunk
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Splunk connector row, and in the Configure tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Server Address | IP or FQDN of the Splunk server to which you will connect and perform automated operations. For example, mySplunkServer. |
| Username | Username to access the Splunk endpoint. |
| Password | Password to access the Splunk endpoint. |
| Protocol | Protocol that will be used to communicate with the Splunk server. Choose either http and https. By default, this is set to https. |
| Splunk API Port | REST API port of the Splunk server. Defaults to 8089. |
| Application Namespace | Namespace that will be used for invoking all of the Splunk APIs. For more information about namespaces, see Splunk Documentation. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. Defaults to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Invoke Search | Invokes a search on the Splunk server. | search_query Investigation |
| Get Details for a Search | Retrieves the details for a Splunk search. | get_result Investigation |
| Get Events for a Search | Retrieves the event details for a Splunk search. | get_events Investigation |
| Get Results for a Search | Retrieves the results for a Splunk search. | get_result Investigation |
| Get Splunk Action | Retrieves details of the available Splunk alert actions or adaptive response actions. | get_command Investigation |
| Run Splunk Action | Runs an alert action or an adaptive response action on a search result or a notable. | run_command Investigation |
| Update Splunk Notables | Updates Splunk notables when FortiSOAR™ is updated. | update_record Investigation |
| Sync Splunk Users to FortiSOAR | Synchronizes a Splunk Enterprise Security (ES) user to FortiSOAR™ for co-relation between FortiSOAR™ and Splunk. Note: Synchronize only those users who are allowed to be assigned to notable events. |
sync_users Miscellaneous |
| Get List Of Triggered Alerts | Retrieves a list of alerts that are triggered on Splunk based on the parameters you have specified. | get_alerts Investigation |
| Get Details Of Triggered Alert | Retrieves information of an alert triggered on Splunk based on the name of the alert you have specified. | get_alert Investigation |
| Add Comment to Splunk Notables | Adds a comment to the Splunk notable event ID(s) that are specified by a comma-separated list in case of multiple events. | update_record Investigation |
| Get All Collections from Splunk App | Retrieves a list containing all KVStore collections stored in the context of a specified Splunk App from Splunk, based on the application name and other input parameters you have specified. | get_all_collections Investigation |
| Add New Collection to Splunk App | Adds a new KVStore collection to a specified Splunk App, based on the application name, collection name, and other input parameters you have specified. | add_new_collection Investigation |
| Fetch Records from Collection | Retrieves a list of all records of a specified collection within the specified Splunk App, based on the application name, collection name, and other input parameters you have specified. | get_records_in_collection Investigation |
| Add Record to a Collection | Adds a record to an existing KVStore collection within the specified Splunk App, based on the application name, collection name, record key and value, and other input parameters you have specified. | add_record_to_collection Investigation |
| Delete Record From a Collection | Removes a record from an existing KVStore collection within the specified Splunk App, based on the application name, collection name, record ID, and other input parameters you have specified. | delete_record_from_collection Investigation |
| Parameter | Description |
|---|---|
| Search Query | Query for the search that you want to run on the Splunk server. Defaults to \"search host=\"{{vars.result.data.host}}\" |
| Earliest Time | (Optional) Start time for the search. Input type is string. If this parameter is left empty, it is set to the current time. For example, -30m or -14d@d. 'm' stands for minutes, 'd' stands for days. Therefore, when you say -30m it means last 30 minutes and -14 days means last 14 days.For time format see, http://docs.splunk.com/Documentation/Splunk/8.0.7/SearchReference/SearchTimeModifiers. |
| Latest Time | (Optional) End time for the search. Input type is string. If this parameter is left empty, it is set to the current time. For time format see, http://docs.splunk.com/Documentation/Splunk/8.0.7/SearchReference/SearchTimeModifiers. |
| Execution Mode | Mode of execution for this operation. You can choose one of the following options: Normal: To run an asynchronous search. Blocking: To return the sid when the job is complete. One Shot: To return results in the same call. In this case, you can specify the format for the output (for example, JSON output) using the output_mode parameter as described in GET search/jobs/export. The default format for output is XML. |
| Timeout | (Optional) Time, in seconds, of inactivity, after which the search job automatically cancels (0 = Never auto-cancel). |
| Additional Search Arguments | Additional parameters for the search. You can specify additional parameters, such as time windows, to your search query to get specific search results. For more information, see the Splunk REST API Reference Manual. Note: To run a search in the verbose mode, add the following parameter: {“adhoc_search_level”:“verbose”}. |
The JSON output contains the data retrieved based on the search query. The search results depend on the additional parameters specified in the search. If the search is run in a blocking or normal mode, the sid is returned. For example, {“sid”: “1496222688.33”}.
The output contains the following populated JSON schema:
{
"sid": ""
}
| Parameter | Description |
|---|---|
| Search ID | ID of the Splunk search for which you want to retrieve details. Defaults to {"value": "{{vars.request.data.sid}}"}". |
The JSON output contains all the details based on the specified search ID.
The output contains the following populated JSON schema:
{
"entry": [
{
"acl": {},
"content": {},
"links": [],
"author": "",
"id": "",
"name": ""
}
],
"paging": {},
"generator": {},
"origin": "",
"links": {},
"updated": ""
}
| Parameter | Description |
|---|---|
| Search ID | ID of the Splunk search for which you want to retrieve events. Defaults to {"value": "{{vars.request.data.sid}}"}". |
| Additional Request Parameters | Optional parameter. You can add other request parameters in the JSON format. For example, {\"output_mode\": \"json\", \"count\": 10} |
Note: If your search query has additional commands, such as stats, run on the events from the search, the Get Events API returns an empty result if the search is not run in verbose mode. To set the verbose mode, add the following parameter to the Additional Search Arguments parameter in the Invoke Search operation: {“adhoc_search_level”:“verbose”}.
The output contains the following populated JSON schema:
{
"fields": [],
"results": []
}
| Parameter | Description |
|---|---|
| Search Id | ID of the Splunk search as a JSON. For example, {'value': {{vars.sid}}}.Note: You must add the Search ID as a JSON with the key value as specified in the example; otherwise, the operation might fail. |
| Additional Request Parameters | (Optional) You can add other request parameters in the JSON format. For example, {\"output_mode\": \"json\", \"count\": 10} |
The JSON output contains the transformed results for the specified Splunk search in a search result.
The output contains the following populated JSON schema:
{
"init_offset": 0,
"fields": [],
"messages": [],
"results": [],
"preview": false,
"highlighted": {}
}
| Parameter | Description |
|---|---|
| Action Name | Name of the action for which the details are to be fetched. A match for this name is looked for in the action name, description, and label in a Splunk action. This is an optional parameter, and if you do not specify the same, then this operation fetches a list of all Splunk actions. |
The JSON output contains input parameters and other details for all alerts actions that match the action name you have specified.
The output contains the following populated JSON schema:
{
"content": {},
"id": "",
"name": ""
}
| Parameter | Description |
|---|---|
| Notable Event Id | ID of the notable event on which you want to run the action. |
| Search Id | ID of the Splunk search on which you want to run the action. You must specify either the Notable Event Id or the Search Id. |
| Action Name | Name of the action to be run. |
| Action Parameters | Parameters of the action that you want to run. For example, a parameter in the JSON format would be {\"max_results\":\"1\"}Note: You can use the Get Splunk Action operation to get parameter names for a specific action. |
| Frequency | If you are running the operation on search results, this parameter specifies if the action should be run only once for the entire resultset or for each result. |
This operation executes the action with the help of the sendaction command from Splunk. The JSON output contains the events from the execution of the sendalert command and varies for each command. The following image displays the output of the execution of the SplunkES Risk Analysis AR action on a notable event:
The output contains a non-dictionary value.
Note. Include this operation in a Splunk playbook and notables will get updated on Splunk when they are updated on FortiSOAR™.
| Parameter | Description |
|---|---|
| Notable Event ID | ID of the notable event that you want to update on Splunk. |
| Status | Status of the Splunk notable. You can specify any of the following values: Unassigned, New, In Progress, Pending, Resolved, or Closed. |
| Urgency | Urgency of the Splunk notable. You can specify any of the following values: Info, Low, Medium, High, or Critical. |
| Owner | Owner of the Splunk notable event. |
The JSON output returns a status containing "success" if the Splunk notables are updated, or "failure" with the reason for failure if the Splunk notables are not updated.
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
None. Include this operation in a Splunk playbook and users will get updated on Splunk when they are updated in FortiSOAR™.
The JSON output returns a Success message if the Splunk users are synchronized, or an Error message containing the reason for failure. The output also contains the names of the users.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Max Number Of Entries To Return | Maximum number of triggered alerts that you want the operation to return. Set the value to -1 if you want to retrieve all the triggered alerts. |
| Offset | Index of the first item to return. |
| Response Filter | Filter used to specify which triggered alerts must be returned. The values of the response fields are matched against this search expression. Examples: search=foo matches any field that has the string foo in its name.search=field_name%3Dfield_value restricts the match to a single field. (Requires URI-encoding.) |
| Sort By | Sorting order of the result, choose between asc (ascending) or desc (descending). |
| Field Name To Use For Sorting | Name of the field on which you want to sort the result. |
| Sort Mode | Logical sequencing (collate) of the results. Choose between the following:auto: If all field values are numeric, collate numerically. Otherwise, collate alphabetically.alpha = Collate field values alphabetically, not case-sensitive.alpha_case = Collate field values alphabetically, case-sensitive.num = Collate field values numerically. |
The JSON output contains a list of alerts and other details for all alerts triggered on Splunk based on the parameters you have specified.
The output contains the following populated JSON schema:
{
"entry": [
{
"name": "",
"author": "",
"acl": {
"removable": "",
"can_write": "",
"sharing": "",
"app": "",
"perms": {
"write": [],
"read": []
},
"modifiable": "",
"can_list": "",
"owner": ""
},
"id": "",
"updated": "",
"content": {
"triggered_alert_count": "",
"eai:acl": ""
},
"links": {
"list": "",
"alternate": ""
}
}
],
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"generator": {
"version": "",
"build": ""
},
"origin": "",
"messages": [],
"updated": "",
"links": {
"_acl": ""
}
}
| Parameter | Description |
|---|---|
| Alert Name | Name of the triggered alert for which the details are to be fetched. |
The JSON output contains details for the triggered alert that match the alert name you have specified.
The output contains the following populated JSON schema:
{
"paging": {
"perPage": "",
"offset": "",
"total": ""
},
"entry": [
{
"published": "",
"author": "",
"name": "",
"links": {
"job": "",
"savedsearch": "",
"list": "",
"alternate": "",
"remove": ""
},
"acl": {
"removable": "",
"can_write": "",
"sharing": "",
"app": "",
"perms": {
"write": [],
"read": []
},
"modifiable": "",
"can_list": "",
"owner": ""
},
"id": "",
"updated": "",
"content": {
"triggered_alerts": "",
"trigger_time_rendered": "",
"trigger_time": "",
"severity": "",
"actions": "",
"sid": "",
"expiration_time_rendered": "",
"savedsearch_name": "",
"alert_type": "",
"eai:acl": "",
"digest_mode": ""
}
}
],
"generator": {
"version": "",
"build": ""
},
"origin": "",
"links": {
"_acl": ""
},
"updated": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Notable Event Ids | ID(s) of the notable event(s) in which you want to add comments. Use a comma-separated list of IDs in case of multiple events. |
| Comment | Comment that you want to add to the Splunk notable event(s). |
The JSON output returns a Success message if the Splunk notable event(s) are updated, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app that you have specified whose complete collection list you want to retrieve from Splunk. |
| App Name | Name of the app that the collection is part of whose complete collection list you want to retrieve from Splunk. |
The output contains the following populated JSON schema:
{
"messages": [],
"updated": "",
"origin": "",
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"links": {
"_acl": "",
"_reload": "",
"create": ""
},
"generator": {
"build": "",
"version": ""
},
"entry": [
{
"updated": "",
"id": "",
"author": "",
"content": {
"eai:appName": "",
"replication_dump_maximum_file_size": "",
"field._time": "",
"replication_dump_strategy": "",
"disabled": "",
"profilingThresholdMs": "",
"field.data": "",
"eai:acl": "",
"profilingEnabled": "",
"type": "",
"field.user": "",
"field.splunk_server": "",
"replicate": "",
"eai:userName": "",
"accelerated_fields.default": ""
},
"acl": {
"modifiable": "",
"removable": "",
"can_share_app": "",
"perms": {
"read": [],
"write": []
},
"can_share_global": "",
"sharing": "",
"can_write": "",
"app": "",
"can_list": "",
"can_share_user": "",
"owner": "",
"can_change_perms": ""
},
"links": {
"list": "",
"_reload": "",
"alternate": "",
"edit": "",
"disable": ""
},
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app in which you want to add a new collection. |
| App Name | Name of the app to which you want to add the new collection. |
| Collection Name | Name of the new collection that you want to add to the Splunk app. |
The output contains the following populated JSON schema:
{
"messages": [],
"updated": "",
"origin": "",
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"links": {
"_acl": "",
"_reload": "",
"create": ""
},
"generator": {
"build": "",
"version": ""
},
"entry": [
{
"updated": "",
"id": "",
"author": "",
"content": {
"profilingEnabled": "",
"profilingThresholdMs": "",
"eai:appName": "",
"replication_dump_maximum_file_size": "",
"replication_dump_strategy": "",
"disabled": "",
"type": "",
"replicate": "",
"eai:acl": "",
"eai:userName": ""
},
"acl": {
"modifiable": "",
"removable": "",
"can_share_app": "",
"perms": {
"read": [],
"write": []
},
"can_share_global": "",
"sharing": "",
"can_write": "",
"app": "",
"can_list": "",
"can_share_user": "",
"owner": "",
"can_change_perms": ""
},
"links": {
"list": "",
"remove": "",
"disable": "",
"_reload": "",
"alternate": "",
"edit": ""
},
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app whose records you want to retrieve from Splunk. |
| App Name | Name of the app that the collection is part of whose records you want to retrieve from Splunk. |
| Collection Name | Name of the collection whose records you want to retrieve from Splunk. |
The output contains the following populated JSON schema:
{
"_user": "",
"_key": ""
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app in which you want to add records. |
| App Name | Name of the Splunk app that the collection is part in which you want to add records. |
| Collection Name | Name of the collection to which you want to add records. |
| Record Key | Key of the record that you want to add to the specified collection. |
| Record Value | Value of the record that you want to add to the specified collection. |
The output contains the following populated JSON schema:
{
"_key": ""
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app from which you want to delete records. |
| App Name | Name of the Splunk app that the collection is part from which you want to delete records. |
| Collection Name | Name of the collection from which you want to delete records. |
| Record ID | ID of the record that you want to delete from the specified collection. |
The output contains the following populated JSON schema:
{
"success": ""
}
The Sample-Splunk-1.6.1 playbook collection comes bundled with the Splunk connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Splunk connector.
The Splunk > Get List of Triggered Alerts playbook is used for Adaptive Response FortiSOAR: Run Playbook action.
The sample playbooks from 2 to 8 work in conjunction with the TA-fortinet-fortisoar-x.x.x.tar.gz to invoke FortiSOAR actions from the Splunk UI and also to automatically forward Splunk alerts and notable as FortiSOAR Alerts and Incidents. For more information, see the Fortinet FortiSOAR Add-on section.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Sync Splunk Users to FortiSOAR connector function in a playbook to synchronize specific Splunk users to FortiSOAR™. Synchronize only those users who are allowed to be assigned to notable events. Synchronizing the users would enable FortiSOAR™ to assign the FortiSOAR alert to the same user as the Assignee for the corresponding Splunk notables.
Note: This procedure is optional, and it enables the bidirectional update of notables. Therefore, perform this procedure, only if you require the Splunk notables to be automatically updated if the corresponding FortiSOAR™ incident or alert module is updated and vice-versa. This procedure also assumes that you are using FortiSOAR™ version 4.10.1 or higher. If you are using a different version of FortiSOAR™, such as FortiSOAR™ 4.9, then it is possible that the FortiSOAR™ UI navigation is different. Refer to the FortiSOAR™ documentation of that particular version for details about FortiSOAR™ navigation.
When a Splunk ES notable event is mapped to a FortiSOAR™ alert or incident, the Status and Urgency of the event can be mapped into the equivalent fields in the FortiSOAR™ modules. The sample playbooks included with Splunk 1.5.0 and later already contain the mapping for the FortiSOAR™ incident and alert modules in their "Configuration" step. The following image is of the Configuration step in the Splunk > Inbound Alert playbook that contains the mapping:
As mentioned in the Integration Points section, the actions from the Fortinet Splunk Add-on invokes playbooks bundled with the Fortinet Splunk connector for the desired automation. If you want to customize the default behavior of the playbooks, you can either modify the existing playbook or create and invoke a new playbook. In case you are creating a new playbook, you must deactivate or delete the corresponding sample playbook and write a new playbook with the same API trigger.
The following table lists the API trigger and the corresponding default playbook for your easy reference:
| S.No. | Action | API Trigger | Default Playbook |
|---|---|---|---|
| 1 | FortiSOAR: Create Alert | api/triggers/1/splunkAlert |
Splunk > Inbound Alert |
| 2 | FortiSOAR: Create Incident | api/triggers/1/splunkIncident |
Splunk > Inbound Incident |
| 3 | For updating the FortiSOAR Alert when the corresponding notable event is updated | api/triggers/1/splunkAlertUpdate |
Splunk > Alert Update |
| 4 | For updating the FortiSOAR Incident when the corresponding notable event is updated | api/triggers/1/splunkIncidentUpdate |
Splunk > Incident Update |
| 5 | For Updating Splunk on Alert Post-Update | NA | Splunk > Alert Post-Update |
| 6 | For Updating Splunk on Incident Post-Update | NA | Splunk > Incident Post-Update |
The playbooks are installed with the FortiSOAR Splunk connector. For integrations 5 and 6 to work, ensure that you have updated the connector steps in the appropriate playbook to point to your Splunk configuration.
It is recommended that you make a copy of these playbooks and then customize them as per your requirements. Once you have a working copy, ensure that you set the state of the sample playbooks to Inactive; otherwise, both the playbooks will be triggered whenever events are forwarded from Splunk.
TA-fortinet-fortisoar-x.x.x.tar logThe "Fingerprint has expired” error is seen in the ta-fortinet-fortisoar_fortisoar_common.connection.log file.
Resolution:
This issue could occur in cases where there is a difference between the time of the Splunk Search Head and the FortiSOAR™ instance. Resolve this issue by synchronizing the time of the Splunk Search Head and your FortiSOAR™ instance to a common NTP server.
Use the Fortinet FortiSOAR Add-on to automatically forward events and alerts from Splunk to FortiSOAR™ and invoke FortiSOAR™ playbooks for investigation.
Applies to: Splunk Enterprise 7.3.8, 8.0.7.
Splunk Technology Add-on Version: 2.6.0
FortiSOAR™ Version Tested on: 6.4.4-3164
Compatibility with Splunk connector Versions: 1.6.1 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSOAR Add-on in version 2.6.0:
The Fortinet Splunk Add-on is designed to work in conjunction with normal events as well as notable events from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk notable events.
To upgrade to Fortinet FortiSOAR Add-on 2.6.0, you must first delete version 2.5.0 of the Fortinet FortiSOAR Add-on and install the new version.
Import the Fortinet Splunk App TA-fortinet-fortisoar-x.x.x.tar.gz into Splunk ES Search Head.
Important: The TA-fortinet-fortisoar-2.6.0.tar.gz file is attached to this article and it also can be downloaded from the Splunk Store.
Configure the TA-fortinet-fortisoar-x.x.x.tar.gz.
Specify a FortiSOAR user who has permission to view and trigger FortiSOAR playbooks.
Ensure that the Splunk server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443.
The Fortinet FortiSOAR Add-on provides the following integration points:
Splunk Inbound Alert with the api/triggers/1/splunkAlert API trigger. Ensure that the playbook is Active for automated Alert creation.Splunk Inbound Incident with the api/triggers/1/splunkIncident API trigger. Ensure that the playbook is Active for automated Incident creation.Set Up page on the Fortinet Splunk Add-on.
APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY, log on to FortiSOAR™ as an administrator and click Settings > Appliances. Click Add to create a new appliance. On the New Appliance page specify the name of the appliance and select the Team(s) and Role(s). i.e., Application Administrator and Playbook Administrator roles that apply to this appliance and click Save. Once you save the new appliance record, FortiSOAR™ displays a pair of Public / Private cryptographic keys in a modal window. You must keep a copy of these keys and add them to the APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY fields.
Note: The actions listed in this section are available for both notable and non-notable events.
The Fortinet Splunk Add-on adds the following searches to Splunk ES. Schedule one of these searches to run every minute to enable automated creation of FortiSOAR alerts or incidents for every Splunk notable:
macros.conf file in the Fortinet Splunk Add-on. In this case, edit the macros.conf file to set the update_type macro to incident-update.Splunk Alert Update or Splunk Incident Update, whenever Status, Urgency or Assignee is updated for a notable in Splunk so that the corresponding fields are updated in the FortiSOAR module, provided that the playbooks are in the Active state.cybersponsesend<search> | cybersponsesend alert<search> | cybersponsesend incidentAdditionally, the add-on also provides an automated update of Splunk notables, if the Status, Assignee or Urgency fields are updated on the corresponding FortiSOAR module. The playbooks Update Splunk on Alert Post-Update and Update Splunk on Incident Post-Update are triggered whenever the FortiSOAR module is updated, provided the playbooks are in the Active state.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk. Currently, "events" in Splunk are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Splunk "Events" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Splunk into FortiSOAR. It also lets you pull some sample data from Splunk using which you can define the mapping of data between Splunk and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Splunk event
On the Field Mapping screen, map the fields of a Splunk event to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the _time parameter of a Splunk event to the Event Time parameter of a FortiSOAR™ alert, click the Event Time field and then click the _time field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Splunk, so that the content gets pulled from the Splunk integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Splunk every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Splunk every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
TA-fortinet-fortisoar-2.6.0.tar.gz
Splunk is a SIEM software that allows searching, monitoring and analyzing machine-generated big data, using a web-style interface. For more information, see the Splunk website.
This document provides information about the Splunk connector, which facilitates automated interactions, with a Splunk server using FortiSOAR™ playbooks. Add the Splunk connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving details and events for a Splunk alert, and running a search query on the Splunk server.
You can also automatically forward events and alerts from Splunk to FortiSOAR™ using the Fortinet FortiSOAR Add-on. For more information, see the Fortinet FortiSOAR Add-on section.
You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk. For more information, see the Data Ingestion Support section.
Connector Version: 1.6.1
FortiSOAR™ Version Tested on: 6.4.4-3164
Splunk Version Tested on: Splunk Enterprise 7.3.8, 8.0.7
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Splunk Connector in version 1.6.1:
Users need to consider the following key points for the Splunk upgrade:
_bkt key as this key is now not present, by default, in Splunk events. Users need to update the following playbook steps in version 1.6.0 of the connector (Refer to the latest Sample - Splunk - 1.6.1 collection for the playbook update): '_time' in vars.sourcedata and '_raw' in vars.sourcedata and '_bkt' in vars.sourcedata'urgency' not in vars.sourcedata and 'owner' not in vars.sourcedata and 'event_id' in vars.sourcedata and 'notable' in vars.sourcedata.event_id Source ID Contains {{vars.input.params['api_body']['event_id']}}From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-splunk
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Splunk connector row, and in the Configure tab enter the required configuration details.
| Parameter | Description |
|---|---|
| Server Address | IP or FQDN of the Splunk server to which you will connect and perform automated operations. For example, mySplunkServer. |
| Username | Username to access the Splunk endpoint. |
| Password | Password to access the Splunk endpoint. |
| Protocol | Protocol that will be used to communicate with the Splunk server. Choose either http and https. By default, this is set to https. |
| Splunk API Port | REST API port of the Splunk server. Defaults to 8089. |
| Application Namespace | Namespace that will be used for invoking all of the Splunk APIs. For more information about namespaces, see Splunk Documentation. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. Defaults to True. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Invoke Search | Invokes a search on the Splunk server. | search_query Investigation |
| Get Details for a Search | Retrieves the details for a Splunk search. | get_result Investigation |
| Get Events for a Search | Retrieves the event details for a Splunk search. | get_events Investigation |
| Get Results for a Search | Retrieves the results for a Splunk search. | get_result Investigation |
| Get Splunk Action | Retrieves details of the available Splunk alert actions or adaptive response actions. | get_command Investigation |
| Run Splunk Action | Runs an alert action or an adaptive response action on a search result or a notable. | run_command Investigation |
| Update Splunk Notables | Updates Splunk notables when FortiSOAR™ is updated. | update_record Investigation |
| Sync Splunk Users to FortiSOAR | Synchronizes a Splunk Enterprise Security (ES) user to FortiSOAR™ for co-relation between FortiSOAR™ and Splunk. Note: Synchronize only those users who are allowed to be assigned to notable events. |
sync_users Miscellaneous |
| Get List Of Triggered Alerts | Retrieves a list of alerts that are triggered on Splunk based on the parameters you have specified. | get_alerts Investigation |
| Get Details Of Triggered Alert | Retrieves information of an alert triggered on Splunk based on the name of the alert you have specified. | get_alert Investigation |
| Add Comment to Splunk Notables | Adds a comment to the Splunk notable event ID(s) that are specified by a comma-separated list in case of multiple events. | update_record Investigation |
| Get All Collections from Splunk App | Retrieves a list containing all KVStore collections stored in the context of a specified Splunk App from Splunk, based on the application name and other input parameters you have specified. | get_all_collections Investigation |
| Add New Collection to Splunk App | Adds a new KVStore collection to a specified Splunk App, based on the application name, collection name, and other input parameters you have specified. | add_new_collection Investigation |
| Fetch Records from Collection | Retrieves a list of all records of a specified collection within the specified Splunk App, based on the application name, collection name, and other input parameters you have specified. | get_records_in_collection Investigation |
| Add Record to a Collection | Adds a record to an existing KVStore collection within the specified Splunk App, based on the application name, collection name, record key and value, and other input parameters you have specified. | add_record_to_collection Investigation |
| Delete Record From a Collection | Removes a record from an existing KVStore collection within the specified Splunk App, based on the application name, collection name, record ID, and other input parameters you have specified. | delete_record_from_collection Investigation |
| Parameter | Description |
|---|---|
| Search Query | Query for the search that you want to run on the Splunk server. Defaults to \"search host=\"{{vars.result.data.host}}\" |
| Earliest Time | (Optional) Start time for the search. Input type is string. If this parameter is left empty, it is set to the current time. For example, -30m or -14d@d. 'm' stands for minutes, 'd' stands for days. Therefore, when you say -30m it means last 30 minutes and -14 days means last 14 days.For time format see, http://docs.splunk.com/Documentation/Splunk/8.0.7/SearchReference/SearchTimeModifiers. |
| Latest Time | (Optional) End time for the search. Input type is string. If this parameter is left empty, it is set to the current time. For time format see, http://docs.splunk.com/Documentation/Splunk/8.0.7/SearchReference/SearchTimeModifiers. |
| Execution Mode | Mode of execution for this operation. You can choose one of the following options: Normal: To run an asynchronous search. Blocking: To return the sid when the job is complete. One Shot: To return results in the same call. In this case, you can specify the format for the output (for example, JSON output) using the output_mode parameter as described in GET search/jobs/export. The default format for output is XML. |
| Timeout | (Optional) Time, in seconds, of inactivity, after which the search job automatically cancels (0 = Never auto-cancel). |
| Additional Search Arguments | Additional parameters for the search. You can specify additional parameters, such as time windows, to your search query to get specific search results. For more information, see the Splunk REST API Reference Manual. Note: To run a search in the verbose mode, add the following parameter: {“adhoc_search_level”:“verbose”}. |
The JSON output contains the data retrieved based on the search query. The search results depend on the additional parameters specified in the search. If the search is run in a blocking or normal mode, the sid is returned. For example, {“sid”: “1496222688.33”}.
The output contains the following populated JSON schema:
{
"sid": ""
}
| Parameter | Description |
|---|---|
| Search ID | ID of the Splunk search for which you want to retrieve details. Defaults to {"value": "{{vars.request.data.sid}}"}". |
The JSON output contains all the details based on the specified search ID.
The output contains the following populated JSON schema:
{
"entry": [
{
"acl": {},
"content": {},
"links": [],
"author": "",
"id": "",
"name": ""
}
],
"paging": {},
"generator": {},
"origin": "",
"links": {},
"updated": ""
}
| Parameter | Description |
|---|---|
| Search ID | ID of the Splunk search for which you want to retrieve events. Defaults to {"value": "{{vars.request.data.sid}}"}". |
| Additional Request Parameters | Optional parameter. You can add other request parameters in the JSON format. For example, {\"output_mode\": \"json\", \"count\": 10} |
Note: If your search query has additional commands, such as stats, run on the events from the search, the Get Events API returns an empty result if the search is not run in verbose mode. To set the verbose mode, add the following parameter to the Additional Search Arguments parameter in the Invoke Search operation: {“adhoc_search_level”:“verbose”}.
The output contains the following populated JSON schema:
{
"fields": [],
"results": []
}
| Parameter | Description |
|---|---|
| Search Id | ID of the Splunk search as a JSON. For example, {'value': {{vars.sid}}}.Note: You must add the Search ID as a JSON with the key value as specified in the example; otherwise, the operation might fail. |
| Additional Request Parameters | (Optional) You can add other request parameters in the JSON format. For example, {\"output_mode\": \"json\", \"count\": 10} |
The JSON output contains the transformed results for the specified Splunk search in a search result.
The output contains the following populated JSON schema:
{
"init_offset": 0,
"fields": [],
"messages": [],
"results": [],
"preview": false,
"highlighted": {}
}
| Parameter | Description |
|---|---|
| Action Name | Name of the action for which the details are to be fetched. A match for this name is looked for in the action name, description, and label in a Splunk action. This is an optional parameter, and if you do not specify the same, then this operation fetches a list of all Splunk actions. |
The JSON output contains input parameters and other details for all alerts actions that match the action name you have specified.
The output contains the following populated JSON schema:
{
"content": {},
"id": "",
"name": ""
}
| Parameter | Description |
|---|---|
| Notable Event Id | ID of the notable event on which you want to run the action. |
| Search Id | ID of the Splunk search on which you want to run the action. You must specify either the Notable Event Id or the Search Id. |
| Action Name | Name of the action to be run. |
| Action Parameters | Parameters of the action that you want to run. For example, a parameter in the JSON format would be {\"max_results\":\"1\"}Note: You can use the Get Splunk Action operation to get parameter names for a specific action. |
| Frequency | If you are running the operation on search results, this parameter specifies if the action should be run only once for the entire resultset or for each result. |
This operation executes the action with the help of the sendaction command from Splunk. The JSON output contains the events from the execution of the sendalert command and varies for each command. The following image displays the output of the execution of the SplunkES Risk Analysis AR action on a notable event:
The output contains a non-dictionary value.
Note. Include this operation in a Splunk playbook and notables will get updated on Splunk when they are updated on FortiSOAR™.
| Parameter | Description |
|---|---|
| Notable Event ID | ID of the notable event that you want to update on Splunk. |
| Status | Status of the Splunk notable. You can specify any of the following values: Unassigned, New, In Progress, Pending, Resolved, or Closed. |
| Urgency | Urgency of the Splunk notable. You can specify any of the following values: Info, Low, Medium, High, or Critical. |
| Owner | Owner of the Splunk notable event. |
The JSON output returns a status containing "success" if the Splunk notables are updated, or "failure" with the reason for failure if the Splunk notables are not updated.
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
None. Include this operation in a Splunk playbook and users will get updated on Splunk when they are updated in FortiSOAR™.
The JSON output returns a Success message if the Splunk users are synchronized, or an Error message containing the reason for failure. The output also contains the names of the users.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Max Number Of Entries To Return | Maximum number of triggered alerts that you want the operation to return. Set the value to -1 if you want to retrieve all the triggered alerts. |
| Offset | Index of the first item to return. |
| Response Filter | Filter used to specify which triggered alerts must be returned. The values of the response fields are matched against this search expression. Examples: search=foo matches any field that has the string foo in its name.search=field_name%3Dfield_value restricts the match to a single field. (Requires URI-encoding.) |
| Sort By | Sorting order of the result, choose between asc (ascending) or desc (descending). |
| Field Name To Use For Sorting | Name of the field on which you want to sort the result. |
| Sort Mode | Logical sequencing (collate) of the results. Choose between the following:auto: If all field values are numeric, collate numerically. Otherwise, collate alphabetically.alpha = Collate field values alphabetically, not case-sensitive.alpha_case = Collate field values alphabetically, case-sensitive.num = Collate field values numerically. |
The JSON output contains a list of alerts and other details for all alerts triggered on Splunk based on the parameters you have specified.
The output contains the following populated JSON schema:
{
"entry": [
{
"name": "",
"author": "",
"acl": {
"removable": "",
"can_write": "",
"sharing": "",
"app": "",
"perms": {
"write": [],
"read": []
},
"modifiable": "",
"can_list": "",
"owner": ""
},
"id": "",
"updated": "",
"content": {
"triggered_alert_count": "",
"eai:acl": ""
},
"links": {
"list": "",
"alternate": ""
}
}
],
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"generator": {
"version": "",
"build": ""
},
"origin": "",
"messages": [],
"updated": "",
"links": {
"_acl": ""
}
}
| Parameter | Description |
|---|---|
| Alert Name | Name of the triggered alert for which the details are to be fetched. |
The JSON output contains details for the triggered alert that match the alert name you have specified.
The output contains the following populated JSON schema:
{
"paging": {
"perPage": "",
"offset": "",
"total": ""
},
"entry": [
{
"published": "",
"author": "",
"name": "",
"links": {
"job": "",
"savedsearch": "",
"list": "",
"alternate": "",
"remove": ""
},
"acl": {
"removable": "",
"can_write": "",
"sharing": "",
"app": "",
"perms": {
"write": [],
"read": []
},
"modifiable": "",
"can_list": "",
"owner": ""
},
"id": "",
"updated": "",
"content": {
"triggered_alerts": "",
"trigger_time_rendered": "",
"trigger_time": "",
"severity": "",
"actions": "",
"sid": "",
"expiration_time_rendered": "",
"savedsearch_name": "",
"alert_type": "",
"eai:acl": "",
"digest_mode": ""
}
}
],
"generator": {
"version": "",
"build": ""
},
"origin": "",
"links": {
"_acl": ""
},
"updated": "",
"messages": []
}
| Parameter | Description |
|---|---|
| Notable Event Ids | ID(s) of the notable event(s) in which you want to add comments. Use a comma-separated list of IDs in case of multiple events. |
| Comment | Comment that you want to add to the Splunk notable event(s). |
The JSON output returns a Success message if the Splunk notable event(s) are updated, or an Error message containing the reason for failure.
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app that you have specified whose complete collection list you want to retrieve from Splunk. |
| App Name | Name of the app that the collection is part of whose complete collection list you want to retrieve from Splunk. |
The output contains the following populated JSON schema:
{
"messages": [],
"updated": "",
"origin": "",
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"links": {
"_acl": "",
"_reload": "",
"create": ""
},
"generator": {
"build": "",
"version": ""
},
"entry": [
{
"updated": "",
"id": "",
"author": "",
"content": {
"eai:appName": "",
"replication_dump_maximum_file_size": "",
"field._time": "",
"replication_dump_strategy": "",
"disabled": "",
"profilingThresholdMs": "",
"field.data": "",
"eai:acl": "",
"profilingEnabled": "",
"type": "",
"field.user": "",
"field.splunk_server": "",
"replicate": "",
"eai:userName": "",
"accelerated_fields.default": ""
},
"acl": {
"modifiable": "",
"removable": "",
"can_share_app": "",
"perms": {
"read": [],
"write": []
},
"can_share_global": "",
"sharing": "",
"can_write": "",
"app": "",
"can_list": "",
"can_share_user": "",
"owner": "",
"can_change_perms": ""
},
"links": {
"list": "",
"_reload": "",
"alternate": "",
"edit": "",
"disable": ""
},
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app in which you want to add a new collection. |
| App Name | Name of the app to which you want to add the new collection. |
| Collection Name | Name of the new collection that you want to add to the Splunk app. |
The output contains the following populated JSON schema:
{
"messages": [],
"updated": "",
"origin": "",
"paging": {
"perPage": "",
"total": "",
"offset": ""
},
"links": {
"_acl": "",
"_reload": "",
"create": ""
},
"generator": {
"build": "",
"version": ""
},
"entry": [
{
"updated": "",
"id": "",
"author": "",
"content": {
"profilingEnabled": "",
"profilingThresholdMs": "",
"eai:appName": "",
"replication_dump_maximum_file_size": "",
"replication_dump_strategy": "",
"disabled": "",
"type": "",
"replicate": "",
"eai:acl": "",
"eai:userName": ""
},
"acl": {
"modifiable": "",
"removable": "",
"can_share_app": "",
"perms": {
"read": [],
"write": []
},
"can_share_global": "",
"sharing": "",
"can_write": "",
"app": "",
"can_list": "",
"can_share_user": "",
"owner": "",
"can_change_perms": ""
},
"links": {
"list": "",
"remove": "",
"disable": "",
"_reload": "",
"alternate": "",
"edit": ""
},
"name": ""
}
]
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app whose records you want to retrieve from Splunk. |
| App Name | Name of the app that the collection is part of whose records you want to retrieve from Splunk. |
| Collection Name | Name of the collection whose records you want to retrieve from Splunk. |
The output contains the following populated JSON schema:
{
"_user": "",
"_key": ""
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app in which you want to add records. |
| App Name | Name of the Splunk app that the collection is part in which you want to add records. |
| Collection Name | Name of the collection to which you want to add records. |
| Record Key | Key of the record that you want to add to the specified collection. |
| Record Value | Value of the record that you want to add to the specified collection. |
The output contains the following populated JSON schema:
{
"_key": ""
}
| Parameter | Description |
|---|---|
| Owner | (Optional) Name of the user who owns the collection in the Splunk app from which you want to delete records. |
| App Name | Name of the Splunk app that the collection is part from which you want to delete records. |
| Collection Name | Name of the collection from which you want to delete records. |
| Record ID | ID of the record that you want to delete from the specified collection. |
The output contains the following populated JSON schema:
{
"success": ""
}
The Sample-Splunk-1.6.1 playbook collection comes bundled with the Splunk connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Splunk connector.
The Splunk > Get List of Triggered Alerts playbook is used for Adaptive Response FortiSOAR: Run Playbook action.
The sample playbooks from 2 to 8 work in conjunction with the TA-fortinet-fortisoar-x.x.x.tar.gz to invoke FortiSOAR actions from the Splunk UI and also to automatically forward Splunk alerts and notable as FortiSOAR Alerts and Incidents. For more information, see the Fortinet FortiSOAR Add-on section.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Use the Sync Splunk Users to FortiSOAR connector function in a playbook to synchronize specific Splunk users to FortiSOAR™. Synchronize only those users who are allowed to be assigned to notable events. Synchronizing the users would enable FortiSOAR™ to assign the FortiSOAR alert to the same user as the Assignee for the corresponding Splunk notables.
Note: This procedure is optional, and it enables the bidirectional update of notables. Therefore, perform this procedure, only if you require the Splunk notables to be automatically updated if the corresponding FortiSOAR™ incident or alert module is updated and vice-versa. This procedure also assumes that you are using FortiSOAR™ version 4.10.1 or higher. If you are using a different version of FortiSOAR™, such as FortiSOAR™ 4.9, then it is possible that the FortiSOAR™ UI navigation is different. Refer to the FortiSOAR™ documentation of that particular version for details about FortiSOAR™ navigation.
When a Splunk ES notable event is mapped to a FortiSOAR™ alert or incident, the Status and Urgency of the event can be mapped into the equivalent fields in the FortiSOAR™ modules. The sample playbooks included with Splunk 1.5.0 and later already contain the mapping for the FortiSOAR™ incident and alert modules in their "Configuration" step. The following image is of the Configuration step in the Splunk > Inbound Alert playbook that contains the mapping:
As mentioned in the Integration Points section, the actions from the Fortinet Splunk Add-on invokes playbooks bundled with the Fortinet Splunk connector for the desired automation. If you want to customize the default behavior of the playbooks, you can either modify the existing playbook or create and invoke a new playbook. In case you are creating a new playbook, you must deactivate or delete the corresponding sample playbook and write a new playbook with the same API trigger.
The following table lists the API trigger and the corresponding default playbook for your easy reference:
| S.No. | Action | API Trigger | Default Playbook |
|---|---|---|---|
| 1 | FortiSOAR: Create Alert | api/triggers/1/splunkAlert |
Splunk > Inbound Alert |
| 2 | FortiSOAR: Create Incident | api/triggers/1/splunkIncident |
Splunk > Inbound Incident |
| 3 | For updating the FortiSOAR Alert when the corresponding notable event is updated | api/triggers/1/splunkAlertUpdate |
Splunk > Alert Update |
| 4 | For updating the FortiSOAR Incident when the corresponding notable event is updated | api/triggers/1/splunkIncidentUpdate |
Splunk > Incident Update |
| 5 | For Updating Splunk on Alert Post-Update | NA | Splunk > Alert Post-Update |
| 6 | For Updating Splunk on Incident Post-Update | NA | Splunk > Incident Post-Update |
The playbooks are installed with the FortiSOAR Splunk connector. For integrations 5 and 6 to work, ensure that you have updated the connector steps in the appropriate playbook to point to your Splunk configuration.
It is recommended that you make a copy of these playbooks and then customize them as per your requirements. Once you have a working copy, ensure that you set the state of the sample playbooks to Inactive; otherwise, both the playbooks will be triggered whenever events are forwarded from Splunk.
TA-fortinet-fortisoar-x.x.x.tar logThe "Fingerprint has expired” error is seen in the ta-fortinet-fortisoar_fortisoar_common.connection.log file.
Resolution:
This issue could occur in cases where there is a difference between the time of the Splunk Search Head and the FortiSOAR™ instance. Resolve this issue by synchronizing the time of the Splunk Search Head and your FortiSOAR™ instance to a common NTP server.
Use the Fortinet FortiSOAR Add-on to automatically forward events and alerts from Splunk to FortiSOAR™ and invoke FortiSOAR™ playbooks for investigation.
Applies to: Splunk Enterprise 7.3.8, 8.0.7.
Splunk Technology Add-on Version: 2.6.0
FortiSOAR™ Version Tested on: 6.4.4-3164
Compatibility with Splunk connector Versions: 1.6.1 and later
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Fortinet FortiSOAR Add-on in version 2.6.0:
The Fortinet Splunk Add-on is designed to work in conjunction with normal events as well as notable events from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk notable events.
To upgrade to Fortinet FortiSOAR Add-on 2.6.0, you must first delete version 2.5.0 of the Fortinet FortiSOAR Add-on and install the new version.
Import the Fortinet Splunk App TA-fortinet-fortisoar-x.x.x.tar.gz into Splunk ES Search Head.
Important: The TA-fortinet-fortisoar-2.6.0.tar.gz file is attached to this article and it also can be downloaded from the Splunk Store.
Configure the TA-fortinet-fortisoar-x.x.x.tar.gz.
Specify a FortiSOAR user who has permission to view and trigger FortiSOAR playbooks.
Ensure that the Splunk server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443.
The Fortinet FortiSOAR Add-on provides the following integration points:
Splunk Inbound Alert with the api/triggers/1/splunkAlert API trigger. Ensure that the playbook is Active for automated Alert creation.Splunk Inbound Incident with the api/triggers/1/splunkIncident API trigger. Ensure that the playbook is Active for automated Incident creation.Set Up page on the Fortinet Splunk Add-on.APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY, log on to FortiSOAR™ as an administrator and click Settings > Appliances. Click Add to create a new appliance. On the New Appliance page specify the name of the appliance and select the Team(s) and Role(s). i.e., Application Administrator and Playbook Administrator roles that apply to this appliance and click Save. Once you save the new appliance record, FortiSOAR™ displays a pair of Public / Private cryptographic keys in a modal window. You must keep a copy of these keys and add them to the APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY fields.Note: The actions listed in this section are available for both notable and non-notable events.
The Fortinet Splunk Add-on adds the following searches to Splunk ES. Schedule one of these searches to run every minute to enable automated creation of FortiSOAR alerts or incidents for every Splunk notable:
macros.conf file in the Fortinet Splunk Add-on. In this case, edit the macros.conf file to set the update_type macro to incident-update.Splunk Alert Update or Splunk Incident Update, whenever Status, Urgency or Assignee is updated for a notable in Splunk so that the corresponding fields are updated in the FortiSOAR module, provided that the playbooks are in the Active state.cybersponsesend<search> | cybersponsesend alert<search> | cybersponsesend incidentAdditionally, the add-on also provides an automated update of Splunk notables, if the Status, Assignee or Urgency fields are updated on the corresponding FortiSOAR module. The playbooks Update Splunk on Alert Post-Update and Update Splunk on Incident Post-Update are triggered whenever the FortiSOAR module is updated, provided the playbooks are in the Active state.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk. Currently, "events" in Splunk are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.
You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Splunk "Events" to FortiSOAR™ "Alerts".
The Data Ingestion Wizard enables you to configure scheduled pulling of data from Splunk into FortiSOAR. It also lets you pull some sample data from Splunk using which you can define the mapping of data between Splunk and FortiSOAR. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Splunk event
On the Field Mapping screen, map the fields of a Splunk event to the fields of an alert present in FortiSOAR™.
To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the _time parameter of a Splunk event to the Event Time parameter of a FortiSOAR™ alert, click the Event Time field and then click the _time field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Splunk, so that the content gets pulled from the Splunk integration into FortiSOAR™.
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Splunk every 5 minutes, click Every X Minute and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Splunk every 5 minutes.
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
TA-fortinet-fortisoar-2.6.0.tar.gz