topic Re: Events not received in Phantom in Splunk SOAR

Events not received in Phantom

damode — Fri, 18 Jan 2019 04:46:51 GMT

I have created an alert in Splunk that fires off once a particular type of event is detected and also configured an alert action that should supposedly send that event to Phantom via "Send to Phantom" action.

However, despite the alert having firedoff multiple times, I still see no event received in Phantom.

I have tried sending the alerted event through "run Playbook in Phantom" alert action as well, still of no use. I have ensured connectivity between Phantom and Splunk is successful.

Tried other ways such as exporting saved search available in Splunk Phantom app, but that didnt work either. Can someone please share some documentation on the phantom app as well ? Thanks.

Re: Events not received in Phantom

tomaszdziwok — Fri, 18 Jan 2019 15:21:45 GMT

I had the exact same problem. In my case, I was trying to run the Phantom app on a Splunk Core instance (non-ES). As it turns out, the "Send to Phantom" alert action only works with ES Adaptive Response Framework.

From the phantom app's README:

PAPP-2914 - Alert action is available on non-ES capable Splunk instances. This feature is only supported on Splunk ES capable instances, and will be removed in future versions from display on Non-ES instances.

And this is the python code that exits with code 0 without showing the user an error:

try:
    from cim_actions import ModularAction
except:
    sys.exit(0)

The cim_actions module is part of Adaptive Response.

The only reliable documentation I have found for the app is the README itself.

Exporting the saved search should have worked though. Any sign of related issues in _internal?

Re: Events not received in Phantom

damode — Sun, 20 Jan 2019 22:59:56 GMT

Hi @tomaszdziwok, thanks. that explains it. I am also using non-ES splunk instance.

So, the only option to get events from Splunk non-ES instance to Phantom is the saved search, no option to send alerts ?

Re: Events not received in Phantom

damode — Mon, 21 Jan 2019 00:57:02 GMT

I tried forwarding events using the New Saved Search Export option
, however I am getting this error - File contains parsing errors: [line 2]: '\xef\xbb\xbf# Version 7.2.1\n'

Re: Events not received in Phantom

tomaszdziwok — Mon, 21 Jan 2019 08:34:18 GMT

That is strange. It looks like there is an unexpected BOM in the header of some file (I assume it's a python script). I did not experience this issue. If you identify exactly what file it is (perhaps through a stacktrace for this error in _internal), you could re-install/update that app and it would hopefully resolve the issue.

Re: Events not received in Phantom

tomaszdziwok — Tue, 29 Sep 2020 22:51:10 GMT

I managed to get alerting to work with a hacky solution. Note; this is not officially supported, and I am not the author of the code so I cannot vouch for it.
On my Splunk instance, I downloaded the file from (https://github.com/secops4thewin/TA-securitytrails/blob/7faf165ea8465f2feae8035a3c3405115cc9e399/bin/ta_securitytrails/cim_actions.py) and placed it in $SPLUNK_HOME/etc/apps/phantom/bin/. (the file is named cim_actions.py). With this in place, alerting is working fine for me.
Disclaimer; I would definitely not recommend running this in production. It's not a supported solution and I certainly can't guarantee that this code is trustworthy. If you choose to use this solution, you will be allowing the downloaded script to run with near-admin privileges on your Splunk instance! Again, I cannot stress enough that you should not use this without vetting the script first. That being said if, like me, you are just trying to get alerting working on an isolated dev instance; it might be worth a try.

Re: Events not received in Phantom

damode — Mon, 21 Jan 2019 22:18:19 GMT

I resolved this issue by downgrading the app from 2.5.2.3 to 2.5.2. I was able to get events in Phantom after that.

Re: Events not received in Phantom

damode — Mon, 21 Jan 2019 22:21:30 GMT

thanks alot for sharing this!
I will definitely give that a try on my test instance.

Re: Events not received in Phantom

Iliasdiamantako — Mon, 09 Mar 2020 16:14:58 GMT

@damode, the non-hacky approach is to install Splunk Common Information Model (CIM) app. It should be documented as a dependency.