Splunk SOAR (f.k.a. Phantom)

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?


Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

Our test connection is fine. We set the ingest to poll on a ten minute interval. We can see a succesful outbound call get made through the proxy but no data is ingested from CrowdStrike.

Other apps we see hit the proxy at the defined interval period, but with CrowdStrike it's completely ad hoc, no matter whether we try interval or scheduled. It will do nothing for hours, and then hit it a couple of times and then go quiet.

Every couple of days it might bizarrely ingest something, but then stops again for days.

I can't find anything of relevance in the debug logs ingestd.log and the SOAR console isn't indiciating any ingestion errors. I have checkd CrowdStrike's API rate limiting with a manual request and we aren't anywhere near reaching any limits.

Has anyone experienced anything like this? Not sure where to go from here, it's like it's failing to schedule correctly. However I can see the scheduled ingestion under ingestion summary in the console.

Labels (2)
0 Karma


Hi @knot9 @CS_ , sorry for the delayed response.

I ended up lodging a support case with Splunk and it was a bug in the version of the SOAR app. I was provided with a new version and this fixed the issue. Hope it helps!



0 Karma

Path Finder

We use the 'Crowdstrike OAUTH API' app. We don't do any ingestion of events directly to SOAR, we send them to Splunk instead, and call SOAR to do the work by various Adaptive Responses. Our SOAR, Splunk and Crowdstrike are all in the cloud. We haven't had any issues at all with reaching CS.

I'm assuming you're self hosting SOAR - as you mention it calling out through the proxy. Do you have any other things in the way, like Firewall, IPS, etc that might be causing a block? A weird DNS issue maybe? I suppose a failure to resolve the crowdstrike domain would probably show up in the logs.

Have you tried with a different set of crowdstrike credentials? Maybe something funky with the current account?

When it seems to stop working - have you tried manually polling it in the App Asset Settings to see if that works?

One thing you could try - is disable the automatic polling, create  playbook that polls for events, then set that playbook to run on a timer as detailed here - we do this quite a lot for various playbooks that need to run like a cronjob.

0 Karma


I've actually had that same problem over the last few weeks and have gone through the same troubleshooting steps as you.

I started having issues with another app's ingestion a couple of weeks ago and also mentioned CrowdStrike in the support case, however, when it came time to jump on a call with support the CrowdStrike app was ingesting fine and has been since. 

Like you said it is very odd and not very consistent on when it does or doesn't work. 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...