Splunk SOAR (f.k.a. Phantom)

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

andrewb
Observer

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

Our test connection is fine. We set the ingest to poll on a ten minute interval. We can see a succesful outbound call get made through the proxy but no data is ingested from CrowdStrike.

Other apps we see hit the proxy at the defined interval period, but with CrowdStrike it's completely ad hoc, no matter whether we try interval or scheduled. It will do nothing for hours, and then hit it a couple of times and then go quiet.

Every couple of days it might bizarrely ingest something, but then stops again for days.

I can't find anything of relevance in the debug logs ingestd.log and the SOAR console isn't indiciating any ingestion errors. I have checkd CrowdStrike's API rate limiting with a manual request and we aren't anywhere near reaching any limits.

Has anyone experienced anything like this? Not sure where to go from here, it's like it's failing to schedule correctly. However I can see the scheduled ingestion under ingestion summary in the console.

Labels (2)
0 Karma

andrewb
Observer

Hi @knot9 @CS_ , sorry for the delayed response.

I ended up lodging a support case with Splunk and it was a bug in the version of the SOAR app. I was provided with a new version and this fixed the issue. Hope it helps!

Regards,

Andrew

0 Karma

CS_
Path Finder

We use the 'Crowdstrike OAUTH API' app. We don't do any ingestion of events directly to SOAR, we send them to Splunk instead, and call SOAR to do the work by various Adaptive Responses. Our SOAR, Splunk and Crowdstrike are all in the cloud. We haven't had any issues at all with reaching CS.

I'm assuming you're self hosting SOAR - as you mention it calling out through the proxy. Do you have any other things in the way, like Firewall, IPS, etc that might be causing a block? A weird DNS issue maybe? I suppose a failure to resolve the crowdstrike domain would probably show up in the logs.

Have you tried with a different set of crowdstrike credentials? Maybe something funky with the current account?

When it seems to stop working - have you tried manually polling it in the App Asset Settings to see if that works?

One thing you could try - is disable the automatic polling, create  playbook that polls for events, then set that playbook to run on a timer as detailed here - we do this quite a lot for various playbooks that need to run like a cronjob.

0 Karma

knot9
Engager

I've actually had that same problem over the last few weeks and have gone through the same troubleshooting steps as you.

I started having issues with another app's ingestion a couple of weeks ago and also mentioned CrowdStrike in the support case, however, when it came time to jump on a call with support the CrowdStrike app was ingesting fine and has been since. 

Like you said it is very odd and not very consistent on when it does or doesn't work. 

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...