Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Soar WinRM Issue

Rubaine
New Member
a month ago

Hello everyone,

I'm facing a persistent issue with executing a script via a playbook in Splunk SOAR that uses WinRM. Here's the context:

I've created a playbook that is supposed to isolate a host via WinRM. The script works perfectly when I run it manually using the "Run Script" action from Splunk SOAR: the host gets isolated. However, when the same script is executed by the playbook, the execution is marked as "successful," but none of the expected outcomes occur: the host is not isolated.

To be more precise:

  • I added an elevation check in the script, which relaunches in administrator mode with -Verb RunAs if necessary. This works perfectly for the manual action.

  • The script writes to a log file located in C:\Users\Public\Documents to avoid permission issues, but the log file is not created when executed by the playbook.

  • I've tried other directories and even simplified the logic to just disable a network adapter with Disable-NetAdapter, but nothing seems to work.

In summary, everything works fine when done manually, but not when automated via the playbook. I have the impression that there's a difference in context between manual execution and playbook execution that's causing the issue, perhaps related to permissions or WinRM session restrictions.

Does anyone have any idea what might be preventing the playbook from executing this script correctly, or any suggestions for workarounds? I'm really running out of ideas and any help would be greatly appreciated.

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply

marnall
Motivator
4 weeks ago

Does it work you run the script using the debugger, but uncheck the checkbox that says "Run as current user"?

Also if I understand correctly, you are not using the SOAR winRM (Windows Remote Management) app, but you are instead using a different app to trigger a script, or using a custom function that implements WinRM communication?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...