Splunk SOAR (f.k.a. Phantom)

Events not received in Phantom

damode
Motivator

I have created an alert in Splunk that fires off once a particular type of event is detected and also configured an alert action that should supposedly send that event to Phantom via "Send to Phantom" action.

However, despite the alert having firedoff multiple times, I still see no event received in Phantom.

I have tried sending the alerted event through "run Playbook in Phantom" alert action as well, still of no use. I have ensured connectivity between Phantom and Splunk is successful.

Tried other ways such as exporting saved search available in Splunk Phantom app, but that didnt work either. Can someone please share some documentation on the phantom app as well ? Thanks.

0 Karma
1 Solution

tomaszdziwok
Path Finder

I had the exact same problem. In my case, I was trying to run the Phantom app on a Splunk Core instance (non-ES). As it turns out, the "Send to Phantom" alert action only works with ES Adaptive Response Framework.

From the phantom app's README:

PAPP-2914 - Alert action is available on non-ES capable Splunk instances. This feature is only supported on Splunk ES capable instances, and will be removed in future versions from display on Non-ES instances.

And this is the python code that exits with code 0 without showing the user an error:

try:
    from cim_actions import ModularAction
except:
    sys.exit(0)

The cim_actions module is part of Adaptive Response.

The only reliable documentation I have found for the app is the README itself.

Exporting the saved search should have worked though. Any sign of related issues in _internal?

View solution in original post

0 Karma

tomaszdziwok
Path Finder

I had the exact same problem. In my case, I was trying to run the Phantom app on a Splunk Core instance (non-ES). As it turns out, the "Send to Phantom" alert action only works with ES Adaptive Response Framework.

From the phantom app's README:

PAPP-2914 - Alert action is available on non-ES capable Splunk instances. This feature is only supported on Splunk ES capable instances, and will be removed in future versions from display on Non-ES instances.

And this is the python code that exits with code 0 without showing the user an error:

try:
    from cim_actions import ModularAction
except:
    sys.exit(0)

The cim_actions module is part of Adaptive Response.

The only reliable documentation I have found for the app is the README itself.

Exporting the saved search should have worked though. Any sign of related issues in _internal?

0 Karma

damode
Motivator

Hi @tomaszdziwok, thanks. that explains it. I am also using non-ES splunk instance.

So, the only option to get events from Splunk non-ES instance to Phantom is the saved search, no option to send alerts ?

0 Karma

Iliasdiamantako
New Member

@damode, the non-hacky approach is to install Splunk Common Information Model (CIM) app. It should be documented as a dependency.

0 Karma

tomaszdziwok
Path Finder

I managed to get alerting to work with a hacky solution. Note; this is not officially supported, and I am not the author of the code so I cannot vouch for it.
On my Splunk instance, I downloaded the file from (https://github.com/secops4thewin/TA-securitytrails/blob/7faf165ea8465f2feae8035a3c3405115cc9e399/bin...) and placed it in $SPLUNK_HOME/etc/apps/phantom/bin/. (the file is named cim_actions.py). With this in place, alerting is working fine for me.
Disclaimer; I would definitely not recommend running this in production. It's not a supported solution and I certainly can't guarantee that this code is trustworthy. If you choose to use this solution, you will be allowing the downloaded script to run with near-admin privileges on your Splunk instance! Again, I cannot stress enough that you should not use this without vetting the script first. That being said if, like me, you are just trying to get alerting working on an isolated dev instance; it might be worth a try.

damode
Motivator

thanks alot for sharing this!
I will definitely give that a try on my test instance.

0 Karma

damode
Motivator

I tried forwarding events using the New Saved Search Export option
, however I am getting this error - File contains parsing errors: [line 2]: '\xef\xbb\xbf# Version 7.2.1\n'

0 Karma

tomaszdziwok
Path Finder

That is strange. It looks like there is an unexpected BOM in the header of some file (I assume it's a python script). I did not experience this issue. If you identify exactly what file it is (perhaps through a stacktrace for this error in _internal), you could re-install/update that app and it would hopefully resolve the issue.

damode
Motivator

I resolved this issue by downgrading the app from 2.5.2.3 to 2.5.2. I was able to get events in Phantom after that.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...