Troubleshooting and tips for Splunk App for SOAR Export
Troubleshooting
If you encounter the following issues, follow these steps for guidance.
Problems with certificate validation
If you are having difficulty establishing a connection between Splunk SOAR and your Splunk Enterprise instance, you may have seen an error message that looks something like this:
Failed to communicate with user "" on SOAR server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),))
See Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise for information on how to fix this issue.
Error assigning the automation role to a user
If you are using the Automation
role in Splunk SOAR and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk SOAR and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.
Error adding a label using Splunk Enterprise Security
To see if an error occurred when you added a label, run the following search:
index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR
The Splunk SOAR server configuration cannot be added to Splunk App for SOAR Export
In some cases, the Splunk App for SOAR Export server configuration and searches may display an error message such as the following in $SPLUNK_HOME/var/log/splunk/python.log
:
Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: [HTTP 403] Client is not authorized to perform requested action;
The capabilities of phantom_read
, phantom_write
, and admin_all_objects
may no longer be applied by default to a non-admin Splunk role during the Splunk App for SOAR Export installation. Without these capabilities, Splunk App for SOAR Export is not able to read or write the REST API key of the Splunk SOAR instance.
To resolve the issue, follow these steps to add the Splunk phantom role to whichever role is in use by Splunk App for SOAR Export.
- In Splunk Web, navigate to Settings, then Access Controls.
- Select Users.
- Select the name in use by Splunk App for SOAR Export, such as User15.
- In the Assign to roles section, from the Available item(s) column, select phantom to add it to Selected item(s).
- Select Save.
If you are configuring a Splunk SOAR (On-premises) cluster, configure the cluster before configuring Splunk App for SOAR Export. Any configuration or information on a stand-alone Splunk SOAR instance is erased when the instance is joined to an existing cluster. See Create a Splunk SOAR (On-premises) Cluster in the Install and Upgrade Splunk SOAR (On-premises) manual.
Container labels not showing up in Splunk SOAR
With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk SOAR. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk SOAR.
Saving a Splunk Data Model Export fails with an error
Saving a data model export in Splunk App for SOAR Export fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:
Argument "action.script" is not supported by this handler.
Saved searches are disabled on Splunk App for SOAR Export in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view your current license level in Splunk Web by selecting Settings > System > Licensing.
Tips
Server configuration that does not always use a proxy
If you want a server configuration to use a proxy some times, but not others, follow these steps:
- In Splunk SOAR, create multiple automation users. For details, see
- Splunk SOAR (cloud): Add users to Splunk SOAR (Cloud).
- Splunk SOAR (on-premises): Add users to Splunk SOAR (On-premises).
- In Splunk App for SOAR Export, set up one to have a proxy setting. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.135, 4.2.3
Feedback submitted, thanks!