Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't connect Splunk SOAR to Splunk Enterprise Security

Alan_Chan
Explorer
‎06-24-2025 09:36 AM

I am using Enterprise 9.3.2, ES 8.1.0, and SOAR 6.4.1 to test the pairing function. Both devices are on-premises and in the same subnet, with no network issues between them. However, when I try to use the pairing function in ES, the following error message appears:
"Cannot connect to SOAR. Check that the ES IP address is included on the SOAR stack allow list."

When I check the internal log, it shows the following error:
"Unexpected error when attempting pairing: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=8443): Max retries exceeded with URL: /rest/version (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1143)')))".

Does anyone have any ideas on how to resolve this?

Labels (1)
Labels
0 Karma
Reply

simo1
Observer
Wednesday

Hello  @Alan_Chan , did you resolved problem? I have same problem, tried to disable https verification but still have sslv3 alert handshake failure

0 Karma
Reply

PrewinThomas
Motivator
‎06-25-2025 10:16 PM

@Alan_Chan 

Is your ES IP added to your SOAR allow list?
Check connection before pairing - Confirm that Enterprise Security can initiate a TCP connection for REST calls to the SOAR port
Also error highlights SSL handshake failure-Are you using self signed or valid CA certificate in the SOAR?
Also note that, Splunk Enterprise Security requires a valid SSL certificate to communicate with Splunk SOAR

Ref:#https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/configuration-and-settings/pa...

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-25-2025 02:31 AM

@Alan_Chan - Are you sure your Splunk port is 8443??

 

0 Karma
Reply

Alan_Chan
Explorer
‎06-25-2025 06:27 PM

Splunk ES using 8000 port while SOAR using 8443 port

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-26-2025 02:03 AM

@Alan_Chan - Here is what got to understand:

* You are using SOAR on 8443 port.

* You are trying to connect SOAR from Splunk ES as per this - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/introducti...

 

If this is the case and if:

* you are entering the IP & credentials correct

* and there is no connectivity issue.

 

Then it is most likely SSL certificate validation issue. And your error also suggests the same thing.

VatsalJagani_0-1750928546326.png

 

You can follow the document to fix it - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/manage-spl...

* Please kindly understand SSL certificates well before you apply this on Production to avoid any issues.

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...