Creating an XSOAR Incident from Splunk

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating an XSOAR Incident from Splunk

L1 Bithead

Hey team,

 

We tried to push splunk alerts to XSOAR and we used the Splunk create XSOAR incident.

 

Splunk logs show that it was successful, but we do not see any incidents in XSOAR.

 

apparently 06-19-2023 16:33:01.558 +0000 INFO sendmodalert [373426 AlertNotifierWorker-0] - action=create_xsoar_incident - Alert action script completed in duration=1480 ms with exit code=0

 

Is there something missing from our end?

 

#xsoar #splunk

 

2 REPLIES 2

@Moh.Yasser 

Dear Yasser, 

for creating incidents on xsoar from splunk, you need integration called splunk pycharm, and additionally you have to have an app configured in splunk , so that the app can trigger incidents on xsoar. dm me if u need any additional info. michaelusatx@gmail.com.

cheers.

 

L3 Networker

"We tried to push splunk alerts to XSOAR" - I'm assuming this means you're using the Demisto Add-on for Splunk. This is not the recommended way to get incidents into XSOAR for precisely the reason you've discovered - it is difficult to troubleshoot issues, and issues will cause incidents to be silently lost rather than raising errors.

 

The standard, recommended method uses queries from the XSOAR side, which will have logs to allow you to debug the issue in case of errors.

 

If you *need* to use the Demisto add-on for some reason, I'd suggest checking your network from splunk to XSOAR, as well as making sure you have the appropriate instance.execute.external key set on the XSOAR side. Given the lack of proper logs you may need to use tcpdump to debug the issue.

  • 1754 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!