Troubleshooting and tips for Splunk App for SOAR Export
Troubleshooting
If you encounter the following issues, follow these steps for guidance.
Problems with certificate validation
If you are having difficulty establishing a connection between Splunk SOAR and your Splunk Enterprise instance, you may have seen an error message that looks something like this:
Failed to communicate with user "" on SOAR server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),))
See Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise for information on how to fix this issue.
Error assigning the automation role to a user
If you are using the Automation
role in Splunk SOAR and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk SOAR and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.
Error adding a label using Splunk Enterprise Security
To see if an error occurred when you added a label, run the following search:
index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR
The Splunk SOAR server configuration cannot be added to Splunk App for SOAR Export
In some cases, the Splunk App for SOAR Export server configuration and searches may display an error message like this example in $SPLUNK_HOME/var/log/splunk/python.log
:
Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: [HTTP 403] Client is not authorized to perform requested action;
Only admins can read and modify the configuration of the Splunk SOAR instance, because only admins have the phantom_read
, phantom_write
, and admin_all_objects
capabilities. If you are not an administrator, but have the phantom_read
capability, you can view the configuration, but you cannot modify it.
For details on Splunk App for SOAR Export roles, see Allow Splunk platform users to use Splunk App for SOAR Export.
Container labels not showing up in Splunk SOAR
With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk SOAR. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk SOAR.
Saving a Splunk Data Model Export fails with an error
Saving a data model export in Splunk App for SOAR Export fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:
Argument "action.script" is not supported by this handler.
Saved searches are disabled on Splunk App for SOAR Export in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view your current license level in Splunk Web by selecting Settings > System > Licensing.
The sendalert command returns error code 3
You can use the sendalert command to perform a sendtophantom or runphantomplaybook to your Splunk SOAR instance. For example, the following command creates a CEF mapping for the src_ip in the Splunk SOAR artifact:
| makeresults
| eval src_ip="123.45.66.77"
| sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"
The following example sends a run playbook request to Splunk SOAR:
| makeresults
| eval src_ip="123.45.66.77"
| sendalert runphantomplaybook param.server_playbook_name="Default: phmarketing/mkt1" param.sensitivity="amber" param.severity="low" param.label="events" param._cam_workers="[\"local\"]"
In the sendalert command, make sure the param.phantom_server value matches the value in the SOAR Instance field in the Send to SOAR dialog in the user interface. The value is case sensitive and must be an exact match against all characters, including spaces.
In some cases, you might see an error like this from the sendalert command:
Error in 'sendalert' command: Alert script returned error code 3
To find the cause of the error, follow these steps:
- Open a new browser tab for the Splunk platform. Navigate to the Search tab.
- In the Search field, enter one of the following searches, based on your sendalert command:
index="cim_modactions"| search sendtophantom
index="cim_modactions"| search runphantomplaybook
- A list displays, showing all sendtophantom or runphantomplaybook events. Select the arrow next to the most recent event to expand its details. You might see a message about a missing required field or a mismatched value.
- Return to your original browser tab for the Splunk platform, update the sendalert command, and run it again.
Tips
Server configuration that does not always use a proxy
If you want a server configuration to use a proxy some times, but not others, follow these steps:
- In Splunk SOAR, create multiple automation users. For details, see
- Splunk SOAR (cloud): Add users to Splunk SOAR (Cloud).
- Splunk SOAR (on-premises): Add users to Splunk SOAR (On-premises).
- In Splunk App for SOAR Export, set up one to have a proxy setting. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.
Back up and restore configuration files for Splunk App for SOAR Export |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.13, 4.3.21
Feedback submitted, thanks!