Debugging Splunk SOAR Actions Using PUDB 

Nathan Holloway, Security Automation Engineer

Introduction 

Splunk SOAR is a powerful tool for orchestrating and automating security workflows. However, debugging actions within SOAR can be challenging without the right tools. This blog will guide you through using PUDB, a Python debugger, to debug actions step by step. We’ll use the whois ip action from the WHOIS RDAP App as an example. 

Step 1: Access the Server

  1. SSH into the server: Use your terminal to connect to the server hosting Splunk SOAR. 
  2. Switch to the phantom user: Ensure you’re operating as the phantom user by running: sudo su – phantom 

Step 2: Locate the Action Scripts

  1. Navigate to the bin directory of your Splunk SOAR installation: cd <Phantom Home>/bin 
  2. Run the action on an event and note down the action name (e.g., whois ip). 
  3. Execute the following command to generate a debug file: phenv python create_tj.pyc ‘whois ip’ 

Example Command Output:

[phantom@phantom bin]$ sudo /opt/phantom/bin/phenv python /opt/phantom/bin/create_tj.pyc 'whois ip' 

Matched 2 lines, will pick up the last line 

IPC json added to file: 

'/tmp/whoisrdap-whois_ip.json' 

Step 3: Inspect the Debug File

Open the JSON file created in the /tmp directory to understand its structure: 

    cat /tmp/whoisrdap-whois_ip.json 

    Sample JSON Content:

    { 

    "action": "whois ip", 

    "action_run_id": 106, 

    "app_config": null, 

    "asset_id": "11", 

    "config": { 

        "_reserved_environment_variables": {}, 

        "app_version": "2.1.2", 

        "appname": "-", 

        "directory": "whoisrdap_7241ecbd-4a79-4a86-99eb-b2ed8f3e7686", 

        "main_module": "whois_rdap_connector.py" 

    }, 

    "parameters": [ 

        { 

            "context": { 

                "artifact_id": 0, 

                "guid": "80ccfee0-aee8-4aaa-8c42-b308be6c71f3" 

            }, 

            "ip": "4.2.2.2" 

        } 

    ] 

}

    Step 4: Prepare for Debugging

    Locate the app folder in the apps directory. The directory name corresponds to the app’s UUID: (e.g., whoisrdap_7241ecbd-4a79-4a86-99eb-b2ed8f3e7686). cd <Phantom Home>/apps 

    Run the app’s main module with the debug JSON file:

    phenv python /opt/phantom/apps/whoisrdap_7241ecbd-4a79-4a86-99eb- b2ed8f3e7686/whois_rdap_connector.py /tmp/whoisrdap-whois_ip.json 

      Learn more about TekStream’s Splunk managed security here.

      About the Author

      Nathan Holloway is an accomplished IT professional with over 20 years of experience spanning data center operations, virtualization, automation, and security orchestration. 

      Beginning his career in data centers, Nathan honed his expertise in hardware and Linux systems administration during the first five years of his journey. Transitioning into virtualization, he spent the next five years working with VMware, where he served as a Tier 2 and Tier 3 engineer. During this time, he mastered Ruby and PowerShell, implemented Puppet to manage configurations for over 5,000 virtual machines, and developed a variety of automation solutions. 

      In the last six years, Nathan has focused on Splunk SOAR (Security Orchestration, Automation, and Response) at VMware and now TekStream. He has been instrumental in developing new actions and applications for Splunk SOAR and Splunk, driving innovation and efficiency in security and operational workflows. 

      With a proven track record in automation, scripting, and application development, Nathan brings a unique combination of technical acumen and practical problem-solving to every project.