Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Troubleshoot the Splunk App for SOAR Export

If you encounter the following issues, follow these steps for guidance.

Problems with certificate validation

If you are having difficulty establishing a connection between Splunk Phantom and your Splunk Enterprise instance, you may have seen an error message that looks something like this:

Failed to communicate with user "" on Phantom server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),)) 

See Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise for information on how to fix this issue.

Splunk Enterprise Security Adaptive Response "Send to Phantom" option missing

In the Splunk Phantom App for Splunk version 2.2.6, an Enterprise Security Adaptive Response feature was added so that Splunk platform users can send events directly to Splunk Phantom. If the App Import Update configuration in Splunk Enterprise Security (ES) does not specify Splunk Phantom or Splunk SOAR, the Send to Phantom action is unavailable.

To check if the Splunk ES App Import Update is configured to allow access to the Splunk App for SOAR Export, perform the following tasks:

  1. In Splunk Web, click on the Enterprise Security app.
  2. In Splunk ES, select Configure > General > App Imports Update.
  3. In the App Import "update_es", verify that the Application Regular Expression field includes |(phantom). For example:
    (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(phantom)

If you are unable to locate the configuration page, you can find the App Imports Update configurations in the following location:

https://<hostname_or_ip>:<splunk_port>/en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/app_imports_update

Error assigning the automation role to a user

If you are using the Automation role in Splunk Phantom and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk Phantom or Splunk SOAR and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.

Error adding a label using Splunk Enterprise Security

To see if an error occurred when you added a label, run the following search:

index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR

The Splunk Phantom or Splunk SOAR server configuration cannot be added to the Splunk App for SOAR Export

In some cases, the Splunk App for SOAR Export server configuration and searches may display an error message such as the following in $SPLUNK_HOME/var/log/splunk/python.log:

Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: 
[HTTP 403] Client is not authorized to perform requested action; 

The capabilities of phantom_read, phantom_write, and admin_all_objects may no longer be applied by default to the Splunk role during the Splunk App for SOAR Export installation. Without these capabilities, the Splunk App for SOAR Export is not able to read or write the REST API key of the Splunk Phantom instance.

To resolve the issue, add the Splunk Phantom role to whichever role is in use by the Splunk App for SOAR Export.

If you are using release 2.5.2 or earlier of the Phantom App for Splunk, perform the following steps:

  1. In Splunk Web, navigate to Settings > Access Controls.
  2. Click Roles.
  3. Click the phantom role.
  4. In the Capabilities section, from the Available capabilities column, click admin_all_objects, phantom_read, phantom_write, and list_storage_passwords to add them to Selected capabilities.
  5. Click Save.

If you are using release 2.5.23 or later of the Phantom App for Splunk, perform the following tasks:

  1. In Splunk Web, navigate to Settings > Access Controls.
  2. Click Users.
  3. Click the name in use by the Splunk App for SOAR Export, such as Admin.
  4. In the Assign to roles section, from the Available item(s) column, click phantom to add it to Selected item(s).
  5. Click Save.

If you are configuring a Splunk Phantom or Splunk SOAR (On-premises) cluster, configure the cluster before configuring the Splunk App for SOAR Export. Any configuration or information on a stand-alone Splunk Phantom instance is erased when the instance is joined to an existing cluster. See About Splunk SOAR (On-premises) clusters in the Install and Upgrade Splunk SOAR (On-premises) manual.

Container labels not showing up in Splunk SOAR or Splunk Phantom

With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk SOAR or Splunk Phantom. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk Phantom.

Saving a Splunk Data Model Export fails with an error

Saving a data model export in the Splunk App for SOAR Export fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:

Argument "action.script" is not supported by this handler.

Saved searches are disabled on the Splunk App for SOAR Export in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view your current license level in Splunk Web by selecting Settings > System > Licensing.

The sendalert command returns error code 3

You can use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk SOAR or Splunk Phantom instance. For example, the following command creates a CEF mapping for the src_ip in the Splunk Phantom artifact:

| makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"

The following example sends a run playbook request to Splunk Phantom:

| makeresults | eval src_ip="123.45.66.77" | sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"

In some cases, you may see an error from the sendalert command such as the following:

Error in 'sendalert' command: Alert script returned error code 3

In the sendalert command, make sure the param.phantom_server value matches the value in the Phantom Instance field in the Send to Phantom dialog in the user interface. The name must be an exact match against all characters, including white spaces and case sensitivity.

Last modified on 30 March, 2022
Back up and restore configuration files for Splunk App for SOAR Export  

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters