Splunk SOAR (f.k.a. Phantom)

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

andrewb
New Member

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

Our test connection is fine. We set the ingest to poll on a ten minute interval. We can see a succesful outbound call get made through the proxy but no data is ingested from CrowdStrike.

Other apps we see hit the proxy at the defined interval period, but with CrowdStrike it's completely ad hoc, no matter whether we try interval or scheduled. It will do nothing for hours, and then hit it a couple of times and then go quiet.

Every couple of days it might bizarrely ingest something, but then stops again for days.

I can't find anything of relevance in the debug logs ingestd.log and the SOAR console isn't indiciating any ingestion errors. I have checkd CrowdStrike's API rate limiting with a manual request and we aren't anywhere near reaching any limits.

Has anyone experienced anything like this? Not sure where to go from here, it's like it's failing to schedule correctly. However I can see the scheduled ingestion under ingestion summary in the console.

Labels (2)
0 Karma

CS_
Path Finder

We use the 'Crowdstrike OAUTH API' app. We don't do any ingestion of events directly to SOAR, we send them to Splunk instead, and call SOAR to do the work by various Adaptive Responses. Our SOAR, Splunk and Crowdstrike are all in the cloud. We haven't had any issues at all with reaching CS.

I'm assuming you're self hosting SOAR - as you mention it calling out through the proxy. Do you have any other things in the way, like Firewall, IPS, etc that might be causing a block? A weird DNS issue maybe? I suppose a failure to resolve the crowdstrike domain would probably show up in the logs.

Have you tried with a different set of crowdstrike credentials? Maybe something funky with the current account?

When it seems to stop working - have you tried manually polling it in the App Asset Settings to see if that works?

One thing you could try - is disable the automatic polling, create  playbook that polls for events, then set that playbook to run on a timer as detailed here - we do this quite a lot for various playbooks that need to run like a cronjob.

0 Karma

knot9
Engager

I've actually had that same problem over the last few weeks and have gone through the same troubleshooting steps as you.

I started having issues with another app's ingestion a couple of weeks ago and also mentioned CrowdStrike in the support case, however, when it came time to jump on a call with support the CrowdStrike app was ingesting fine and has been since. 

Like you said it is very odd and not very consistent on when it does or doesn't work. 

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...