FortiSOAR provides powerful bi-directional integration with Splunk. While the Splunk connector provides out-of-the-box support for scheduled data ingestion from Splunk using FortiSOAR™'s Data Ingestion Wizard, the FortiSOAR Splunk add-on can be optionally installed on the Splunk Search Head for some additional capabilities such as automatically forwarding events and alerts from Splunk to FortiSOAR™ and invoking FortiSOAR™ playbooks for investigation.
The Splunk Add-on is designed to work with both normal, and notable events, from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk's notable events. For more information on using FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk, see the Splunk connector documentation.
Refer to the Fortinet FortiSOAR Add-on for Splunk page on Splunkbase™ – at https://splunkbase.splunk.com/app/5392 – for overview, version history, and access to other downloadable versions.
Splunk Technology Add-on Version: 4.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Splunk connector Versions Tested on: 2.0.0
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiSOAR Splunk Add-on in version 4.2.0:
| Splunk Version | Fortinet FortiSOAR Splunk Add-on version |
|---|---|
| Splunk Cloud | 3.0.1, 4.0.1 |
| Splunk Enterprise 9.0.0.1 | 4.0.0, 4.0.1, 4.2.0 |
| Splunk Enterprise 8.2.0 | 3.0.1 |
| Splunk Enterprise 8.1.0 | 2.7.0, 3.0.1 |
| Splunk Enterprise 8.0.7 | 2.6.0, 2.7.0 |
The Splunk Add-on is designed to work in conjunction with normal events as well as notable events from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk's notable events.
In your Splunk Instance, click on Browse more apps and search for Fortinet FortiSOAR Add-on for Splunk App.
It is available at https://splunkbase.splunk.com/app/5392/
Log in to your Splunkbase account and install the Splunk add-on.
For steps on upgrading your Fortinet FortiSOAR Splunk Add-on, see the Upgrading the Fortinet FortiSOAR Splunk Add-on topic.
Login to your Splunkbase account and search for the Fortinet FortiSOAR Add-on for Splunk.
It is available at https://splunkbase.splunk.com/app/5392/
Download Fortinet FortiSOAR Add-on for Splunk.
Import the Splunk App TA-fortinet-fortisoar-x.x.x.tar.gz into Splunk ES Search Head.
Important: The TA-fortinet-fortisoar-4.2.0.tar.gz file can be downloaded from Splunkbase.
Configure the TA-fortinet-fortisoar-x.x.x.tar.gz.
Specify a FortiSOAR user who has permission to view and trigger FortiSOAR playbooks.
Ensure that the Splunk server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443.
Splunk has issued a directive that all Cloud add-ons are required to include SSL certificates for external requests. All Cloud users must therefore perform the following steps to include a certificate on the Splunk server.
Click on the padlock icon next to the FortiSOAR Server URL on your Chrome browser:
Click Connection is secure:
Click Certificate is valid, which in turn displays a new dialog box:
Click the Details tab on the dialog box:
Select the certificate to export all the certificates individually (i.e. server certificate, intermediate certificate, certificate authority certificate, etc), and then click Export:
Save the certificates and prepare them to be used with the Splunk platform:
Combine the server certificate, intermediate certificate, and certificate authority certificate, in this specific order, into a single file. The combined file must be in the Privacy-Enhanced Mail (PEM) format. Use the following Linux command to concat all the certificates:
cat <server certificate file> <intermediate certificate file> <certificate authority certificate file> > <combined server certificate file>
The certificate authority certificate
Once you are satisfied with the review of the combined certificate file, save the file in the Splunk server and provide the path of the file, or provide the FortiSOAR™ server certificate chain in the FortiSOAR Server Certificate field of the Splunk Add-on configuration.
If you have a Splunk Cloud setup then you need to submit a request to Splunk to add the certificate to the Splunk server and then provide the path of the file in the Splunk Add-on configuration.
Deploy the SSL Certificate in on-prem FortiSOAR in case of an on-prem setup:
Obtain certificates (from a certificate authority or a self-signed certificate) and then run the following steps to deploy the certificate:
root user.To deploy your certificate, type the following command:
# csadm certs --deployAt the prompt, specify the following:
For more information, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/HowtoprepareyoursignedcertificatesforSplunk.
The Splunk Add-on provides the following integration points:
Splunk Inbound Alert with the api/triggers/1/splunkAlert API trigger. Ensure that the playbook is Active for automated Alert creation.Splunk Inbound Incident with the api/triggers/1/splunkIncident API trigger. Ensure that the playbook is Active for automated Incident creation.FortiSOAR: Run Playbook - Lists all active FortiSOAR playbooks that have an API Trigger as the starting step. The list of playbooks can additionally be filtered based on the tags. The tags are specified in the Set Up page on the Fortinet Splunk Add-on.
OR
Specify the FortiSOAR Playbook that will be Invoked to override the FortiSOAR™ endpoint and Appliance Keys, which have been specified in the application configuration.
Note: To generate APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY, log on to FortiSOAR™ as an administrator, and click Settings > Appliances. Click Add to create a new appliance. On the New Appliance page specify the name of the appliance and select the Team(s) and Role(s). i.e., Application Administrator and Playbook Administrator roles that apply to this appliance and click Save.
Once you save the new appliance record, FortiSOAR™ displays a pair of Public / Private cryptographic keys in a modal window. You must keep a copy of these keys and add them to the APPLIANCE_PRIVATE_KEY, and APPLIANCE_PUBLIC_KEY fields.
Note: The actions listed in this section are available for both notable and non-notable events.
The Splunk Add-on adds the following searches to Splunk ES. Schedule one of these searches to run every 5 minutes to enable the automated creation of FortiSOAR alerts or incidents for every Splunk notable:
Send ES notable events to FortiSOAR as incidents
To keep the notable status, assignee, and severity updates synchronized between the two products, schedule the following search:
Send ES notable updates to FortiSOAR
By default, this search sends the ES notable updates to FortiSOAR™ as an alert. If you are ingesting the events as incidents in FortiSOAR™, edit the macros.conf file in the Splunk Add-on. In this case, edit the macros.conf file to set the update_type macro to incident-update.
These searches invoke the FortiSOAR playbooks: Splunk Alert Update or Splunk Incident Update, whenever Status, Urgency or Assignee is updated for a notable in Splunk so that the corresponding fields are updated in the FortiSOAR module, provided that the playbooks are in the Active state.
fortisoarsend
This command can also be used directly to forward any search result to FortiSOAR™ as an alert or incident. For example,
<search> | fortisoarsend alert
<search> | fortisoarsend incident
Additionally, the add-on also provides an automated update of Splunk notables, if the Status, Assignee or Urgency fields are updated on the corresponding FortiSOAR module. The playbooks Update Splunk on Alert Post-Update and Update Splunk on Incident Post-Update are triggered whenever the FortiSOAR module is updated, provided the playbooks are in the Active state.
Use the Sync Splunk Users to FortiSOAR connector function in a playbook to synchronize specific Splunk users to FortiSOAR™. Synchronize only those users who are allowed to be assigned to notable events. Synchronizing the users would enable FortiSOAR™ to assign the FortiSOAR alert to the same user as the Assignee for the corresponding Splunk notables.
Note: This procedure is optional, and it enables the bidirectional update of notables. Therefore, perform this procedure, only if you require the Splunk notables to be automatically updated if the corresponding FortiSOAR™ incident or alert module is updated and vice-versa.
When a Splunk ES notable event is mapped to a FortiSOAR™ alert or incident; Status and Urgency of the event can be mapped into the equivalent fields in the FortiSOAR™ modules. The sample playbooks included with Splunk 1.5.0 and later already contain the mapping for the FortiSOAR™ incident and alert modules in their Configuration step. The following image is of the Configuration step in the Splunk > Inbound Alert playbook that contains the mapping:
As mentioned in the Integration Points section, the actions from the FortiSOAR Splunk Add-on invokes playbooks bundled with the Splunk connector for the desired automation. If you want to customize the default behavior of the playbooks, you can either modify the existing playbook or create and invoke a new playbook. In case you are creating a new playbook, you must deactivate or delete the corresponding sample playbook and write a new playbook with the same API trigger.
The following table lists the API trigger and the corresponding default playbook for your easy reference:
| S.No. | Action | API Trigger | Default Playbook |
|---|---|---|---|
| 1 | FortiSOAR: Create Alert | api/triggers/1/splunkAlert |
Splunk > Inbound Alert |
| 2 | FortiSOAR: Create Incident | api/triggers/1/splunkIncident |
Splunk > Inbound Incident |
| 3 | For updating the FortiSOAR Alert when the corresponding notable event is updated | api/triggers/1/splunkAlertUpdate |
Splunk > Alert Update |
| 4 | For updating the FortiSOAR Incident when the corresponding notable event is updated | api/triggers/1/splunkIncidentUpdate |
Splunk > Incident Update |
| 5 | For Updating Splunk on Alert Post-Update | NA | Splunk > Alert Post-Update |
| 6 | For Updating Splunk on Incident Post-Update | NA | Splunk > Incident Post-Update |
The playbooks are installed with the FortiSOAR Splunk connector. For integrations 5 and 6 to work, ensure that you have updated the connector steps in the appropriate playbook to point to your Splunk configuration.
It is recommended that you make a copy of these playbooks and then customize them as per your requirements. Once you have a working copy, ensure that you set the state of the sample playbooks to Inactive; otherwise, both the playbooks will be triggered whenever events are forwarded from Splunk.
To upgrade the Fortinet FortiSOAR Add-on, do the following:
Log in to your Splunkbase account and click Apps > Manage:
Search for Fortinet, which displays the Fortinet FortiSOAR Add-on' row:
Update App page.Click the Terms and Conditions checkbox on the Update from Splunkbase dialog, then click Accept and Continue:
To download the app, enter your Splunk.com account and password in the Login Required dialog, then click Login and Continue:
This downloads and installs the Fortinet FortiSOAR Add-on.
Click Set up now on the Install Successfully dialog to configure the Fortinet FortiSOAR Add-on and auto-populate all of the fields based on your previous settings:
Click Save on the FortiSOAR Configuration dialog, to save the configuration and start using the Fortinet FortiSOAR Add-on:
Failed events are not automatically ingested in FortiSOAR™. You can create a Splunk alert within Splunk and trigger an appropriate FortiSOAR™ action, or trigger data ingestion in the Splunk connector.
Following are the two methods to ingest failed events in FortiSOAR™:
You can create a Splunk alert and push failed events by running a query, specifying a schedule, trigger actions, and the FortiSOAR action to trigger.
index="_internal" source="/opt/splunk/var/log/splunk/TA-fortinet-fortisoar_fortisoar_common.log_events.log" createFSR Incident
FortiSOAR: Create Incident in When Triggered field under Trigger Actions.index="_internal" source="/opt/splunk/var/log/splunk/TA-fortinet-fortisoar_fortisoar_common.log_events.log" createFSR Alert
FortiSOAR: Create Alert in When Triggered field under Trigger Actions.TA-fortinet-fortisoar-x.x.x.tar logThe "Fingerprint has expired” error is seen in the ta-fortinet-fortisoar_fortisoar_common.connection.log file.
This issue could occur in cases where there is a difference between the time of the Splunk Search Head and the FortiSOAR™ instance. Resolve this issue by synchronizing the time of the Splunk Search Head and your FortiSOAR™ instance to a common NTP server.
NOTE: This error is applicable to FortiSOAR version 7.0.1 only.
You see the following error while running the Splunk > Alert Update:
Error message : CS-INTEGRATION-5: Error occurred while executing the connector action ERROR :: 400 Client Error: Bad Request for url: https://localhost/api/auth/users :: {'Error': 'The server encountered an error while handling the request. Please contact the administrator for assistance.'} :: Url: https://localhost/api/auth/users
Resolution:
Update the IRI of the Get CyOPs Users step with /api/auth/users?loginid={{vars.event_owner}} and enable Ignore Error for this step.
FortiSOAR provides powerful bi-directional integration with Splunk. While the Splunk connector provides out-of-the-box support for scheduled data ingestion from Splunk using FortiSOAR™'s Data Ingestion Wizard, the FortiSOAR Splunk add-on can be optionally installed on the Splunk Search Head for some additional capabilities such as automatically forwarding events and alerts from Splunk to FortiSOAR™ and invoking FortiSOAR™ playbooks for investigation.
The Splunk Add-on is designed to work with both normal, and notable events, from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk's notable events. For more information on using FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling events from Splunk, see the Splunk connector documentation.
Refer to the Fortinet FortiSOAR Add-on for Splunk page on Splunkbase™ – at https://splunkbase.splunk.com/app/5392 – for overview, version history, and access to other downloadable versions.
Splunk Technology Add-on Version: 4.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Splunk connector Versions Tested on: 2.0.0
Authored By: Fortinet
Certified: Yes
The following enhancements have been made to the Fortinet FortiSOAR Splunk Add-on in version 4.2.0:
| Splunk Version | Fortinet FortiSOAR Splunk Add-on version |
|---|---|
| Splunk Cloud | 3.0.1, 4.0.1 |
| Splunk Enterprise 9.0.0.1 | 4.0.0, 4.0.1, 4.2.0 |
| Splunk Enterprise 8.2.0 | 3.0.1 |
| Splunk Enterprise 8.1.0 | 2.7.0, 3.0.1 |
| Splunk Enterprise 8.0.7 | 2.6.0, 2.7.0 |
The Splunk Add-on is designed to work in conjunction with normal events as well as notable events from Splunk ES. While ES is not a requirement, it is recommended since all bi-directional updates only apply to Splunk's notable events.
In your Splunk Instance, click on Browse more apps and search for Fortinet FortiSOAR Add-on for Splunk App.
It is available at https://splunkbase.splunk.com/app/5392/
Log in to your Splunkbase account and install the Splunk add-on.
For steps on upgrading your Fortinet FortiSOAR Splunk Add-on, see the Upgrading the Fortinet FortiSOAR Splunk Add-on topic.
Login to your Splunkbase account and search for the Fortinet FortiSOAR Add-on for Splunk.
It is available at https://splunkbase.splunk.com/app/5392/
Download Fortinet FortiSOAR Add-on for Splunk.
Import the Splunk App TA-fortinet-fortisoar-x.x.x.tar.gz into Splunk ES Search Head.
Important: The TA-fortinet-fortisoar-4.2.0.tar.gz file can be downloaded from Splunkbase.
Configure the TA-fortinet-fortisoar-x.x.x.tar.gz.
Specify a FortiSOAR user who has permission to view and trigger FortiSOAR playbooks.
Ensure that the Splunk server has connectivity to the FortiSOAR™ server and can send requests to the FortiSOAR™ instance on port 443.
Splunk has issued a directive that all Cloud add-ons are required to include SSL certificates for external requests. All Cloud users must therefore perform the following steps to include a certificate on the Splunk server.
Click on the padlock icon next to the FortiSOAR Server URL on your Chrome browser:
Click Connection is secure:
Click Certificate is valid, which in turn displays a new dialog box:
Click the Details tab on the dialog box:
Select the certificate to export all the certificates individually (i.e. server certificate, intermediate certificate, certificate authority certificate, etc), and then click Export:
Save the certificates and prepare them to be used with the Splunk platform:
Combine the server certificate, intermediate certificate, and certificate authority certificate, in this specific order, into a single file. The combined file must be in the Privacy-Enhanced Mail (PEM) format. Use the following Linux command to concat all the certificates:
cat <server certificate file> <intermediate certificate file> <certificate authority certificate file> > <combined server certificate file>
The certificate authority certificate
Once you are satisfied with the review of the combined certificate file, save the file in the Splunk server and provide the path of the file, or provide the FortiSOAR™ server certificate chain in the FortiSOAR Server Certificate field of the Splunk Add-on configuration.
If you have a Splunk Cloud setup then you need to submit a request to Splunk to add the certificate to the Splunk server and then provide the path of the file in the Splunk Add-on configuration.
Deploy the SSL Certificate in on-prem FortiSOAR in case of an on-prem setup:
Obtain certificates (from a certificate authority or a self-signed certificate) and then run the following steps to deploy the certificate:
root user.To deploy your certificate, type the following command:
# csadm certs --deployAt the prompt, specify the following:
For more information, see https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/HowtoprepareyoursignedcertificatesforSplunk.
The Splunk Add-on provides the following integration points:
Splunk Inbound Alert with the api/triggers/1/splunkAlert API trigger. Ensure that the playbook is Active for automated Alert creation.Splunk Inbound Incident with the api/triggers/1/splunkIncident API trigger. Ensure that the playbook is Active for automated Incident creation.FortiSOAR: Run Playbook - Lists all active FortiSOAR playbooks that have an API Trigger as the starting step. The list of playbooks can additionally be filtered based on the tags. The tags are specified in the Set Up page on the Fortinet Splunk Add-on.
OR
Specify the FortiSOAR Playbook that will be Invoked to override the FortiSOAR™ endpoint and Appliance Keys, which have been specified in the application configuration.
Note: To generate APPLIANCE_PRIVATE_KEY and APPLIANCE_PUBLIC_KEY, log on to FortiSOAR™ as an administrator, and click Settings > Appliances. Click Add to create a new appliance. On the New Appliance page specify the name of the appliance and select the Team(s) and Role(s). i.e., Application Administrator and Playbook Administrator roles that apply to this appliance and click Save.
Once you save the new appliance record, FortiSOAR™ displays a pair of Public / Private cryptographic keys in a modal window. You must keep a copy of these keys and add them to the APPLIANCE_PRIVATE_KEY, and APPLIANCE_PUBLIC_KEY fields.
Note: The actions listed in this section are available for both notable and non-notable events.
The Splunk Add-on adds the following searches to Splunk ES. Schedule one of these searches to run every 5 minutes to enable the automated creation of FortiSOAR alerts or incidents for every Splunk notable:
Send ES notable events to FortiSOAR as incidents
To keep the notable status, assignee, and severity updates synchronized between the two products, schedule the following search:
Send ES notable updates to FortiSOAR
By default, this search sends the ES notable updates to FortiSOAR™ as an alert. If you are ingesting the events as incidents in FortiSOAR™, edit the macros.conf file in the Splunk Add-on. In this case, edit the macros.conf file to set the update_type macro to incident-update.
These searches invoke the FortiSOAR playbooks: Splunk Alert Update or Splunk Incident Update, whenever Status, Urgency or Assignee is updated for a notable in Splunk so that the corresponding fields are updated in the FortiSOAR module, provided that the playbooks are in the Active state.
fortisoarsend
This command can also be used directly to forward any search result to FortiSOAR™ as an alert or incident. For example,
<search> | fortisoarsend alert
<search> | fortisoarsend incident
Additionally, the add-on also provides an automated update of Splunk notables, if the Status, Assignee or Urgency fields are updated on the corresponding FortiSOAR module. The playbooks Update Splunk on Alert Post-Update and Update Splunk on Incident Post-Update are triggered whenever the FortiSOAR module is updated, provided the playbooks are in the Active state.
Use the Sync Splunk Users to FortiSOAR connector function in a playbook to synchronize specific Splunk users to FortiSOAR™. Synchronize only those users who are allowed to be assigned to notable events. Synchronizing the users would enable FortiSOAR™ to assign the FortiSOAR alert to the same user as the Assignee for the corresponding Splunk notables.
Note: This procedure is optional, and it enables the bidirectional update of notables. Therefore, perform this procedure, only if you require the Splunk notables to be automatically updated if the corresponding FortiSOAR™ incident or alert module is updated and vice-versa.
When a Splunk ES notable event is mapped to a FortiSOAR™ alert or incident; Status and Urgency of the event can be mapped into the equivalent fields in the FortiSOAR™ modules. The sample playbooks included with Splunk 1.5.0 and later already contain the mapping for the FortiSOAR™ incident and alert modules in their Configuration step. The following image is of the Configuration step in the Splunk > Inbound Alert playbook that contains the mapping:
As mentioned in the Integration Points section, the actions from the FortiSOAR Splunk Add-on invokes playbooks bundled with the Splunk connector for the desired automation. If you want to customize the default behavior of the playbooks, you can either modify the existing playbook or create and invoke a new playbook. In case you are creating a new playbook, you must deactivate or delete the corresponding sample playbook and write a new playbook with the same API trigger.
The following table lists the API trigger and the corresponding default playbook for your easy reference:
| S.No. | Action | API Trigger | Default Playbook |
|---|---|---|---|
| 1 | FortiSOAR: Create Alert | api/triggers/1/splunkAlert |
Splunk > Inbound Alert |
| 2 | FortiSOAR: Create Incident | api/triggers/1/splunkIncident |
Splunk > Inbound Incident |
| 3 | For updating the FortiSOAR Alert when the corresponding notable event is updated | api/triggers/1/splunkAlertUpdate |
Splunk > Alert Update |
| 4 | For updating the FortiSOAR Incident when the corresponding notable event is updated | api/triggers/1/splunkIncidentUpdate |
Splunk > Incident Update |
| 5 | For Updating Splunk on Alert Post-Update | NA | Splunk > Alert Post-Update |
| 6 | For Updating Splunk on Incident Post-Update | NA | Splunk > Incident Post-Update |
The playbooks are installed with the FortiSOAR Splunk connector. For integrations 5 and 6 to work, ensure that you have updated the connector steps in the appropriate playbook to point to your Splunk configuration.
It is recommended that you make a copy of these playbooks and then customize them as per your requirements. Once you have a working copy, ensure that you set the state of the sample playbooks to Inactive; otherwise, both the playbooks will be triggered whenever events are forwarded from Splunk.
To upgrade the Fortinet FortiSOAR Add-on, do the following:
Log in to your Splunkbase account and click Apps > Manage:
Search for Fortinet, which displays the Fortinet FortiSOAR Add-on' row:
Update App page.Click the Terms and Conditions checkbox on the Update from Splunkbase dialog, then click Accept and Continue:
To download the app, enter your Splunk.com account and password in the Login Required dialog, then click Login and Continue:
This downloads and installs the Fortinet FortiSOAR Add-on.
Click Set up now on the Install Successfully dialog to configure the Fortinet FortiSOAR Add-on and auto-populate all of the fields based on your previous settings:
Click Save on the FortiSOAR Configuration dialog, to save the configuration and start using the Fortinet FortiSOAR Add-on:
Failed events are not automatically ingested in FortiSOAR™. You can create a Splunk alert within Splunk and trigger an appropriate FortiSOAR™ action, or trigger data ingestion in the Splunk connector.
Following are the two methods to ingest failed events in FortiSOAR™:
You can create a Splunk alert and push failed events by running a query, specifying a schedule, trigger actions, and the FortiSOAR action to trigger.
index="_internal" source="/opt/splunk/var/log/splunk/TA-fortinet-fortisoar_fortisoar_common.log_events.log" createFSR Incident
FortiSOAR: Create Incident in When Triggered field under Trigger Actions.index="_internal" source="/opt/splunk/var/log/splunk/TA-fortinet-fortisoar_fortisoar_common.log_events.log" createFSR Alert
FortiSOAR: Create Alert in When Triggered field under Trigger Actions.TA-fortinet-fortisoar-x.x.x.tar logThe "Fingerprint has expired” error is seen in the ta-fortinet-fortisoar_fortisoar_common.connection.log file.
This issue could occur in cases where there is a difference between the time of the Splunk Search Head and the FortiSOAR™ instance. Resolve this issue by synchronizing the time of the Splunk Search Head and your FortiSOAR™ instance to a common NTP server.
NOTE: This error is applicable to FortiSOAR version 7.0.1 only.
You see the following error while running the Splunk > Alert Update:
Error message : CS-INTEGRATION-5: Error occurred while executing the connector action ERROR :: 400 Client Error: Bad Request for url: https://localhost/api/auth/users :: {'Error': 'The server encountered an error while handling the request. Please contact the administrator for assistance.'} :: Url: https://localhost/api/auth/users
Resolution:
Update the IRI of the Get CyOPs Users step with /api/auth/users?loginid={{vars.event_owner}} and enable Ignore Error for this step.