Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Troubleshooting and tips for Splunk App for SOAR Export

Troubleshooting

If you encounter the following issues, follow these steps for guidance.

Problems with certificate validation

If you are having difficulty establishing a connection between Splunk SOAR and your Splunk Enterprise instance, you may have seen an error message that looks something like this:

Failed to communicate with user "" on SOAR server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),)) 

See Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise for information on how to fix this issue.

Error assigning the automation role to a user

If you are using the Automation role in Splunk SOAR and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk SOAR and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.

Error adding a label using Splunk Enterprise Security

To see if an error occurred when you added a label, run the following search:

index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR

The Splunk SOAR server configuration cannot be added to Splunk App for SOAR Export

In some cases, the Splunk App for SOAR Export server configuration and searches may display an error message like this example in $SPLUNK_HOME/var/log/splunk/python.log:

Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: 
[HTTP 403] Client is not authorized to perform requested action; 

Only admins can read and modify the configuration of the Splunk SOAR instance, because only admins have the phantom_read, phantom_write, and admin_all_objects capabilities. If you are not an administrator, but have the phantom_read capability, you can view the configuration, but you cannot modify it.

For details on Splunk App for SOAR Export roles, see Enable Splunk platform users to use Splunk App for SOAR Export.

Container labels not showing up in Splunk SOAR

With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk SOAR. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk SOAR.

Saving a Splunk Data Model Export fails with an error

Saving a data model export in Splunk App for SOAR Export fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:

Argument "action.script" is not supported by this handler.

Saved searches are disabled on Splunk App for SOAR Export in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view your current license level in Splunk Web by selecting Settings > System > Licensing.

The sendalert command returns error code 3

You can use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk SOAR instance. For example, the following command creates a CEF mapping for the src_ip in the Splunk SOAR artifact:

| makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"

The following example sends a run playbook request to Splunk SOAR:

| makeresults | eval src_ip="123.45.66.77" | sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"

In the sendalert command, make sure the param.phantom_server value matches the value in the SOAR Instance field in the Send to SOAR dialog in the user interface. The value is case sensitive and must be an exact match against all characters, including spaces.

In some cases, you might see an error like this from the sendalert command:

Error in 'sendalert' command: Alert script returned error code 3

To find the cause of the error, follow these steps:

  1. Open a new browser tab for the Splunk platform. Navigate to the Search tab.
  2. In the Search field, enter one of the following searches, based on your sendalert command:
    index="cim_modactions"| search sendtophantom
    index="cim_modactions"| search runphantomplaybook
  3. A list displays, showing all sendtophantom or runphantomplaybook events. Select the arrow next to the most recent event to expand its details. You might see a message about a missing required field or a mismatched value.
  4. Return to your original browser tab for the Splunk platform, update the sendalert command, and run it again.

Tips

Server configuration that does not always use a proxy

If you want a server configuration to use a proxy some times, but not others, follow these steps:

  1. In Splunk SOAR, create multiple automation users. For details, see
  2. In Splunk App for SOAR Export, set up one to have a proxy setting. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.
Last modified on 03 September, 2024
Back up and restore configuration files for Splunk App for SOAR Export  

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters