topic Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data in Splunk SOAR

Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k — Sun, 07 Jun 2020 17:20:56 GMT

Hello everyone

I need help with using Splunk App in Phantom.
I am trying perform searches for Splunk in Phantom, everything seems to be configured fine, final status is success.
The problem is that action in most cases didn't return any events.

F.G
I have following simple query:
index=firewall earliest=-1m latest=now() sourcetype="pan:threat"

In Splunk it returns data, but if when I wanted use Phantom to perform query it doesn't return any results.
There is exceptions if I will use query with '| rest ' command it will return information.

Should I use run query in other way ? Or maybe it's related to current configuration?

Thanks a lot for response in advance.

BR.
Dawid

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

ansusabu — Thu, 21 Nov 2019 10:29:09 GMT

You can use 'stats' at the end of query to return the necessary fields you require.

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k — Thu, 21 Nov 2019 10:33:39 GMT

@ansusabu thanks for your response.

I tried use stats command, but it still returns 0 events.

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

ansusabu — Thu, 21 Nov 2019 10:43:56 GMT

Check the json file that you are receiving after the action. And try expanding the time range

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k — Wed, 30 Sep 2020 03:06:48 GMT

@ansusabu
JSON file doesn't contain any data, please refer top its content:
[{"status": "success", "parameter": {"query": "index=firewall earliest=-1m latest=now() sourcetype=\"pan:threat\" | stats count by src_ip,action", "context": {"guid": "xxxx", "artifact_id": 0, "parent_action_run": []}}, "message": "Total events: 0", "data": [], "summary": {"total_events": 0}}]

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k — Wed, 30 Sep 2020 03:04:09 GMT

The previous problem was resolved by giving username right permission to get data from indexes. 🙂
I have for now other problem, I am trying integrate other instance of Splunk with Phantom and in this case I receive following error during query execution:

Query invalid 'search index=*mail earliest=-1m latest=now() |stats count by internal_message_id'. Error string: 'HTTP 403 Forbidden -- insufficient permission to access this resource*

Did you maybe have similar issue with accessing data from Splunk ES in Phantom?

BR
Dawid

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

WalshyB — Wed, 30 Sep 2020 03:13:28 GMT

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k — Tue, 03 Dec 2019 15:50:49 GMT

@WalshyB :
Adding 'search' capability for used user in Splunk resolved problem 🙂
I forgot add this information here.

Re: Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

ansusabu — Wed, 30 Sep 2020 06:50:55 GMT

Try using 'fields + *'