Skip to main content

Splunk SOAR

Splunk SOAR App for CrowdSec. This App allows enrichment of IP addresses in an event investigation and playbooks with CrowdSec's CTI API.

This documentation will guide you through installing and configuring the app as well as showing an example of usage in which we'll show enrichement of IP addresses in an event investigation.

Setup

  1. Navigate to apps page from your dashboard as shown in the image below.

Splunk dashboard

  1. Navigate to the new apps page by clicking on the New Apps button. Then search for "CrowdSec"

New Apps

  1. Click on the the Install Button to install the app.

Configurating the App

  1. Now the App should appear in the unconfigured apps.

Unconfigured Apps

  1. Click on CONFIGURE NEW ASSET button.

  2. Enter the required details like asset name etc in the Asset Info tab.

Asset Configure Part 1

  1. Navigate to Asset Setting pane, and enter your CrowdSec CTI API key. If you don't have one already see this guide to obtain one.

Asset Configure Part 2

  1. Click on the Save button to save the asset.

  2. You can test this asset by clicking on the Test Connectivity button. If everything is configured properly, you would get message like the one in the image.

Test Connectivity

Done, you've successfully configured the app. You can now use it in your playbooks and event investigations.

Example Usage

Here's an example of it's usage in event investigation.

Example

Result

CrowdSec ConsoleCrowdSec Console