This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

On prem Splunk- Chronicle SOAR integration

Posted on 09-12-2024 07:27 AM
VictorSOAR
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi Guys,

I am trying to integrate On prem Splunk which is hosted on AWS cloud. AWS team allowed communication between Chronicle SOAR (ingress and egress) IPs and Splunk search head public IP over port 8089. But still getting connectivity error:

Failed to connect to the Splunk - Ping server! Error is HTTPSConnectionPool(host='x.x.x.x', port=8089): Max retries exceeded with url: /services/search/jobs/export?output_mode=json (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7cce8a7c9710>: Failed to establish a new connection: [Errno 110] Connection timed out'))

From the network side, we see traffic accepted from SOAR egress IP but no traffic for ingress IP.

VictorSOAR_0-1726151060258.png

We want to integrate Splunk ES - Notable Events Connector to ingest notables.

Any help on this will be greatly appreciated.

Solved Solved
0 5 712
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to VictorSOAR
Reply posted on --/--/---- --:-- AM

TA-Siemplify app is necessary only if you want to use:

1. Pull method of collecting alerts utilising pull connector
2. Push method that will use SOAR API to create alerts directly in SOAR and does not require connector. 

For the rest of connectors and other integration components this application is not required, please see:
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/splunk

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
f3rz
Staff
Reply posted on --/--/---- --:-- AM

@VictorSOAR

SOAR ingress IP shouldn't be used to communicate with QRadar. Ingress IP is only for SOAR UI access. 

> From the network side, we see traffic accepted from SOAR egress IP
It is a good sign. I would recommend you perform traffic capture next to QRadar to understand if traffic gets to QRadar (or maybe there's some additional firewall). 

Ideally, I recommend you use Remote Agent, which is intended for such cases when you need to connect to your network without exposing any ports or IPs. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
VictorSOAR
Bronze 2
Bronze 2
In response to f3rz
Reply posted on --/--/---- --:-- AM

Thanks @f3rz  for your response

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
VictorSOAR
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Is it necessary to install the TA-Siemplify package on the Splunk search head? I am attempting to pull alerts and have observed environments where the TA-Siemplify app is not installed on Splunk, yet they successfully pull alerts into Chronicle SOAR.

Could there be any issues or limitations if we do not install the TA-Siemplify package on Splunk?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
f3rz
Staff
In response to VictorSOAR
Reply posted on --/--/---- --:-- AM

TA-Siemplify app is necessary only if you want to use:

1. Pull method of collecting alerts utilising pull connector
2. Push method that will use SOAR API to create alerts directly in SOAR and does not require connector. 

For the rest of connectors and other integration components this application is not required, please see:
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/splunk

Jump to Solution

Posted on --/--/---- --:-- AM
VictorSOAR
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Thanks @f3rz , this answered my question perfectly!

Jump to Solution
0 Likes
Top Solution Authors
View all