Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Phantom health alert notification

harishlnu
Engager
‎04-20-2024 08:35 AM

Hi team,

 

Could you please help me on how to get health alert notification in phantom.

Thanks in advance.

 

Regards,

Harisha

Labels (1)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-21-2024 02:07 PM

Hi @harishlnu 

One of the ways is using Rest API - /rest/health of SOAR - status field contains all the daemons health information and additional info on resource utilization.

https://docs.splunk.com/Documentation/SOAR/current/PlatformAPI/RESTInfo#.2Frest.2Fhealth

To monitor I would run an external script or if you are using Splunk Enterprise - by using | restsoar command you can call the above Rest API and create an alert.  You should install official  https://splunkbase.splunk.com/app/6361 Splunk App for SOAR to use  | restsoar command.

--------

Srikanth Yarlagadda

 

Tags (2)
0 Karma
Reply

harishlnu
Engager
‎05-21-2024 12:38 AM

Hi @venkatasri 

 

Do you have query for to check health alerts using Splunk App for SOAR.
Kindly help me on this

 

Regards,

Harisha

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎05-21-2024 01:44 AM

@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There is a huge amount of data in these logs that could be teased out into SPL Alerts. 

Are you able to advise what kind of things you are looking to monitor?

OS Health can be done using the *nix Splunk Add-on, playbook/action failure is in the logs as well as access data via the wsgi.log file. Daemon logs, such as decided/ingestd/etc can also provide data about functionality and these are also able to be sent to Splunk via the Forwarder Settings in Administration in SOAR. 

 

-- Hope this helps! Happy SOARing --

0 Karma
Reply

harishlnu
Engager
‎05-21-2024 04:35 AM

@phanTom 

My requirement is to get notification of ingestion.
Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom.
Then it should notify us

Please help me with your suggestion on this

Regards
Harisha

 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎05-21-2024 07:09 AM

@harishlnu 

If a Correlation Search is configured to send to SOAR then you just need the _internal logs for the modaction send_to_phantom to be checked for failures in sending then also use the ingestd.log to look for failures to ingest on the SOAR side. The ingestd.log should be one of the DAEMON logs you can forward from SOAR to Splunk. 

0 Karma
Reply

harishlnu
Engager
‎05-21-2024 07:31 AM

@phanTom 

 

could you please help me with documentation for reference

 

 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎05-21-2024 07:44 AM

@harishlnu 

For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders 

The other element is just using SPL to look for things in the logs sent from SOAR to Splunk. The Splunk app for SOAR will have docs on what sourcetypes it sends through that would include ingestd.log. 

You should have enough information now to do some research and start to develop what you need. 

-- Happy SOARing --

Tags (2)
0 Karma
Reply

harishlnu
Engager
‎05-21-2024 08:44 PM

Thank you @phanTom 


Sure I will research, I am new to phantom, your help much appreciated.

Regards,

Harisha

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...