Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

andrewb
Observer
‎11-27-2022 04:45 PM

Has anyone else had problems connecting SOAR to CrowdStrike to ingest detections?

Our test connection is fine. We set the ingest to poll on a ten minute interval. We can see a succesful outbound call get made through the proxy but no data is ingested from CrowdStrike.

Other apps we see hit the proxy at the defined interval period, but with CrowdStrike it's completely ad hoc, no matter whether we try interval or scheduled. It will do nothing for hours, and then hit it a couple of times and then go quiet.

Every couple of days it might bizarrely ingest something, but then stops again for days.

I can't find anything of relevance in the debug logs ingestd.log and the SOAR console isn't indiciating any ingestion errors. I have checkd CrowdStrike's API rate limiting with a manual request and we aren't anywhere near reaching any limits.

Has anyone experienced anything like this? Not sure where to go from here, it's like it's failing to schedule correctly. However I can see the scheduled ingestion under ingestion summary in the console.

Labels (2)
0 Karma
Reply

andrewb
Observer
‎02-19-2023 01:21 PM

Hi @knot9 @CS_ , sorry for the delayed response.

I ended up lodging a support case with Splunk and it was a bug in the version of the SOAR app. I was provided with a new version and this fixed the issue. Hope it helps!

Regards,

Andrew

0 Karma
Reply

CS_
Path Finder
‎01-25-2023 06:24 PM

We use the 'Crowdstrike OAUTH API' app. We don't do any ingestion of events directly to SOAR, we send them to Splunk instead, and call SOAR to do the work by various Adaptive Responses. Our SOAR, Splunk and Crowdstrike are all in the cloud. We haven't had any issues at all with reaching CS.

I'm assuming you're self hosting SOAR - as you mention it calling out through the proxy. Do you have any other things in the way, like Firewall, IPS, etc that might be causing a block? A weird DNS issue maybe? I suppose a failure to resolve the crowdstrike domain would probably show up in the logs.

Have you tried with a different set of crowdstrike credentials? Maybe something funky with the current account?

When it seems to stop working - have you tried manually polling it in the App Asset Settings to see if that works?

One thing you could try - is disable the automatic polling, create  playbook that polls for events, then set that playbook to run on a timer as detailed here - we do this quite a lot for various playbooks that need to run like a cronjob.

0 Karma
Reply

knot9
Engager
‎01-25-2023 12:54 PM

I've actually had that same problem over the last few weeks and have gone through the same troubleshooting steps as you.

I started having issues with another app's ingestion a couple of weeks ago and also mentioned CrowdStrike in the support case, however, when it came time to jump on a call with support the CrowdStrike app was ingesting fine and has been since. 

Like you said it is very odd and not very consistent on when it does or doesn't work. 

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...