Troubleshoot the Splunk Phantom App for Splunk
If you encounter the following issues, follow these steps for guidance.
Problems with certificate validation
If you are having difficulty establishing a connection between Splunk Phantom and your Splunk Enterprise instance, you may have seen an error message that looks something like this:
Failed to communicate with user "" on Phantom server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),))
See Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise for information on how to fix this issue.
Splunk Enterprise Security Adaptive Response "Send to Phantom" option missing
In the Splunk Phantom App for Splunk version 2.2.6, an Enterprise Security Adaptive Response feature was added so that Splunk platform users can send events directly to Splunk Phantom. If the App Import Update configuration in Splunk Enterprise Security (ES) does not specify Splunk Phantom, the Send to Phantom action is unavailable.
To check if the Splunk ES App Import Update is configured to allow access to the Splunk Phantom App for Splunk, perform the following tasks:
- In Splunk Web, click on the Enterprise Security app.
- In Splunk ES, select Configure > General > App Imports Update.
- In the App Import "update_es", verify that the Application Regular Expression field includes
|(phantom)
. For example:(appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(phantom)
If you are unable to locate the configuration page, you can find the App Imports Update configurations in the following location:
https://<hostname_or_ip>:<splunk_port>/en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/app_imports_update
Error assigning the automation role to a user
If you are using the Automation
role in Splunk Phantom and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk Phantom and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.
Error adding a label using Splunk Enterprise Security
To see if an error occurred when you added a label, run the following search:
index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR
The Splunk Phantom server configuration cannot be added to the Splunk Phantom App for Splunk
In some cases, the Splunk Phantom App for Splunk server configuration and searches may display an error message such as the following in $SPLUNK_HOME/var/log/splunk/python.log
:
Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: [HTTP 403] Client is not authorized to perform requested action;
The capabilities of phantom_read
, phantom_write
, and admin_all_objects
may no longer be applied by default to the Splunk role during the Splunk Phantom App for Splunk installation. Without these capabilities, the Splunk Phantom App for Splunk is not able to read or write the REST API key of the Splunk Phantom instance.
To resolve the issue, add the Splunk Phantom role to whichever role is in use by the Splunk Phantom App for Splunk.
If you are using release 2.5.2 or earlier of the Splunk Phantom App for Splunk, perform the following steps:
- In Splunk Web, navigate to Settings > Access Controls.
- Click Roles.
- Click the phantom role.
- In the Capabilities section, from the Available capabilities column, click admin_all_objects, phantom_read, phantom_write, and list_storage_passwords to add them to Selected capabilities.
- Click Save.
If you are using release 2.5.23 or later of the Phantom App for Splunk, perform the following tasks:
- In Splunk Web, navigate to Settings > Access Controls.
- Click Users.
- Click the name in use by the Splunk Phantom App for Splunk, such as Admin.
- In the Assign to roles section, from the Available item(s) column, click phantom to add it to Selected item(s).
- Click Save.
If you are configuring a Splunk Phantom cluster, configure the cluster before configuring the Splunk Phantom App for Splunk. Any configuration or information on a stand-alone Splunk Phantom instance is erased when the instance is joined to an existing cluster. See Create a Splunk SOAR (On-premises) Cluster in the Install and Upgrade Splunk SOAR (On-premises) manual.
Container labels not showing up in Splunk Phantom
With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk Phantom. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk Phantom.
Saving a Splunk Data Model Export fails with an error
Saving a data model export in the Splunk Phantom App for Splunk fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:
Argument "action.script" is not supported by this handler.
Saved searches are disabled on the Splunk Phantom App for Splunk in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view you current license level in Splunk Web by selecting Settings > System > Licensing.
The sendalert command returns error code 3
You can use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk Phantom instance. For example, the following command creates a CEF mapping for the src_ip in the Splunk Phantom artifact:
| makeresults
| eval src_ip="123.45.66.77"
| sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"
The following example sends a run playbook request to Splunk Phantom:
| makeresults
| eval src_ip="123.45.66.77"
| sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"
In some cases, you may see an error from the sendalert command such as the following:
Error in 'sendalert' command: Alert script returned error code 3
In the sendalert command, make sure the param.phantom_server value matches the value in the Phantom Instance field in the Send to Phantom dialog in the user interface. The name must be an exact match against all characters, including white spaces and case sensitivity.
Backup and restore configuration files for Splunk Phantom App for Splunk |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73
Feedback submitted, thanks!