topic Creating an XSOAR Incident from Splunk in Cortex XSOAR Discussions

Creating an XSOAR Incident from Splunk

Moh.Yasser — Wed, 21 Jun 2023 13:44:17 GMT

Hey team,

We tried to push splunk alerts to XSOAR and we used the Splunk create XSOAR incident.

Splunk logs show that it was successful, but we do not see any incidents in XSOAR.

apparently 06-19-2023 16:33:01.558 +0000 INFO sendmodalert [373426 AlertNotifierWorker-0] - action=create_xsoar_incident - Alert action script completed in duration=1480 ms with exit code=0

Is there something missing from our end?

#xsoar #splunk

Re: Creating an XSOAR Incident from Splunk

michaeljohnson123 — Wed, 21 Jun 2023 16:44:55 GMT

@Moh.Yasser

Dear Yasser,

for creating incidents on xsoar from splunk, you need integration called splunk pycharm, and additionally you have to have an app configured in splunk , so that the app can trigger incidents on xsoar. dm me if u need any additional info. michaelusatx@gmail.com.

cheers.

Re: Creating an XSOAR Incident from Splunk

chrking — Thu, 06 Jul 2023 04:31:20 GMT

"We tried to push splunk alerts to XSOAR" - I'm assuming this means you're using the Demisto Add-on for Splunk. This is not the recommended way to get incidents into XSOAR for precisely the reason you've discovered - it is difficult to troubleshoot issues, and issues will cause incidents to be silently lost rather than raising errors.

The standard, recommended method uses queries from the XSOAR side, which will have logs to allow you to debug the issue in case of errors.

If you *need* to use the Demisto add-on for some reason, I'd suggest checking your network from splunk to XSOAR, as well as making sure you have the appropriate instance.execute.external key set on the XSOAR side. Given the lack of proper logs you may need to use tcpdump to debug the issue.