Splunk SOAR (f.k.a. Phantom)

Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

d4wc3k
Path Finder

Hello everyone

I need help with using Splunk App in Phantom.
I am trying perform searches for Splunk in Phantom, everything seems to be configured fine, final status is success.
The problem is that action in most cases didn't return any events.

F.G
I have following simple query:
index=firewall earliest=-1m latest=now() sourcetype="pan:threat"

In Splunk it returns data, but if when I wanted use Phantom to perform query it doesn't return any results.
There is exceptions if I will use query with '| rest ' command it will return information.

Should I use run query in other way ? Or maybe it's related to current configuration?

Thanks a lot for response in advance.

BR.
Dawid

Labels (3)
Tags (2)
0 Karma
1 Solution

WalshyB
SplunkTrust
SplunkTrust

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

View solution in original post

WalshyB
SplunkTrust
SplunkTrust

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

d4wc3k
Path Finder

@WalshyB :
Adding 'search' capability for used user in Splunk resolved problem 🙂
I forgot add this information here.

0 Karma

d4wc3k
Path Finder

The previous problem was resolved by giving username right permission to get data from indexes. 🙂
I have for now other problem, I am trying integrate other instance of Splunk with Phantom and in this case I receive following error during query execution:

Query invalid 'search index=*mail earliest=-1m latest=now() |stats count by internal_message_id'. Error string: 'HTTP 403 Forbidden -- insufficient permission to access this resource*

Did you maybe have similar issue with accessing data from Splunk ES in Phantom?

BR
Dawid

0 Karma

d4wc3k
Path Finder

@ansusabu thanks for your response.

I tried use stats command, but it still returns 0 events.

0 Karma

ansusabu
Communicator

Check the json file that you are receiving after the action. And try expanding the time range

0 Karma

d4wc3k
Path Finder

@ansusabu
JSON file doesn't contain any data, please refer top its content:
[{"status": "success", "parameter": {"query": "index=firewall earliest=-1m latest=now() sourcetype=\"pan:threat\" | stats count by src_ip,action", "context": {"guid": "xxxx", "artifact_id": 0, "parent_action_run": []}}, "message": "Total events: 0", "data": [], "summary": {"total_events": 0}}]

0 Karma

ansusabu
Communicator

Try using 'fields + *'

0 Karma

ansusabu
Communicator

You can use 'stats' at the end of query to return the necessary fields you require.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...