Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are we experiencing this Error "authentication failure on Phantom 4.10"?

mrzn
New Member
‎03-08-2022 08:11 AM

We are using Prompt with extended time to 4 days. We have discovered that when the time of running playbook is over the Inactivity Timeout in Account Security Settings we have playbook execution error and a lot of authentication failure when we want to change status or add tag etc. Is theare an option than we can use Prompt with respond_in_mins larger than Inactivity Timeout and avoid authentication failure errors. Phantom version 4.10.

Labels (3)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎03-08-2022 09:00 AM

@mrzn I would remove the 4 days wait and try to handle this in a different way as this is far from best-practise. Each playbook with a prompt waiting for response will be keeping a daemon resource active the whole time and is excessive, IMHO. It also isn't robust as if the server or daemon was ever restarted you would lose all existing prompts!!

Depending on the use case I think you would be better to send an email with an encoded string that gets added to the HTML body, this usually contains the container_id the email was sent from and any other useful information to inform the automation upon reply and decryption. You then ingest the emails from the inbox where replies go to, have a playbook that grabs the encrypted key, decrypts and then takes the relevant action on the event. This way you are not keeping playbook(s) in a waiting state for up to 4 days. 

There will likely be many ways to approach this, the above is something I have done a lot to get around the possible days' waiting for replies. Prompt timeouts should, again IMO, be no longer than an hour. 


Happy to discuss further if you need !

0 Karma
Reply

mrzn
New Member
‎03-14-2022 01:04 AM

I have choose another option. I have created action to add workbook to container with only one action to run this last Playbook with Prompt inside. Now analyst can manualy and easy run playbook when he need.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...