Splunk SOAR | Configure | Intelligence Center#

To integrate with Splunk SOAR, you will need to:

  1. Create or choose a source Group for the Splunk SOAR app.

  2. Create an API token.

  3. Create a dedicated outgoing feed to load entities into Splunk SOAR as Events.

Create or choose Source#

To send Sightings and Indicators entities from Splunk SOAR to EclecticIQ Intelligence Center, you must provide the name of a Group that your Intelligence Center user is a member of as the Source of those Entities.

You can choose an existing Group, but it is advisable to create a new Group to clearly mark the Entities as having been created by the Splunk SOAR app. Learn more about creating a new Group and selecting a default Source.

Create API token#

To set up the Splunk SOAR app, you have to as a user with the permissions and group memberships the API will need.

This user must be assigned at least the following permissions:

  • read permissions

  • modify entities

  • read extracts

  • read outgoing-feeds

  • read sources

  • read taxonomies

Recommendation: service account

Create a new EclecticIQ Intelligence Center user to act as a service account to create tokens for each API service you use. Configure this user with the permissions, memberships, and defaults required for that API service and log in to that user to generate API tokens.

You can then update the service account’s permissions, memberships, and defaults if your usage of the associated API changes.

  1. Log in to EclecticIQ Intelligence Center (EIQ IC) as a user with the permissions and group memberships required for the API.
    If you created a service account, log in to that.

  2. In the side navigation bar, select the user’s avatar image.

  3. From the pop-up menu, select My profile.

  4. In the My profile view, select Edit on the bottom-right corner.

  5. In the Edit your profile view, browse to the API tokens section.

  6. Any existing API tokens are listed here.

  7. To create a new API token, select + Create API token.

  8. In the Create new API token dialog, enter a reader-friendly name to identify the API token.

  9. If you want the token to become invalid after a period of time, select the Select expiration date checkbox.

  10. From the drop-down menu select one of the predefined time intervals.

  11. Click Generate token to create a new API token with the selected settings.

Create outgoing feed#

If you want to load Indicator or Sighting entities into Splunk SOAR as events, you have to create an outgoing feed:

  1. In the in the left navigation bar of the Intelligence Center, go to Data configuration Data configuration icon > Outgoing feeds.

  2. In the top-left corner, click the plus icon Plus.

  3. Enter an Outgoing feed name.

  4. Select a Dataset from the dropdown.
    Entities from these datasets will be made accessible to Splunk SOAR.
    For Update strategy, select eitherAppend or Replace.

  5. For Transport Type select HTTP download and then for Content Type: select EclecticIQ JSON.

  6. For Authorized groups select the group you chose or created for the Splunk SOAR app
    Keep in mind your user must have at least read entities and read extracts permissions.

  7. For Execution schedule select None.
    The outgoing feel will not run on a schedule, but will be triggered from the Splunk SOAR app.

  8. Save the Outgoing feed.

Note down the ID of the outgoing feed you just created. To find the outgoing feed ID:

  1. Select the outgoing feed.

  2. Inspect the URL that appears in your browser address bar, e.g.: https://ic-playground.eclecticiq.com/main/configuration/outgoing-feeds?tab=detail&detail=62

  3. The outgoing feed ID is the value for the detail query parameter. In the example above, the outgoing feed ID is 62.