<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Error adding a Phantom Server configuration in the Phantom Splunk App. in Splunk SOAR</title>
    <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405817#M60</link>
    <description>&lt;P&gt;Two things to verify.  First, is your account associated with the phantom role?  If you are using local accounts, simply add your account in Settings/Access Control/Roles.  If you are using LDAP users, then map the groups using Authentication/Authentication Method/LDAP Settings/Map Groups. &lt;/P&gt;

&lt;P&gt;Next login CLI to your Phantom server and run the following command:&lt;/P&gt;

&lt;P&gt;curl -ku 'username:password' &lt;A href="https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs%5C?output_mode%5C=json"&gt;https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json&lt;/A&gt; -d value=0&lt;/P&gt;

&lt;P&gt;Finally clean up history&lt;BR /&gt;
run the history command from the cli prompt&lt;BR /&gt;
find the line number with your password in plain text&lt;BR /&gt;
Run the command: history -d %linenumber%&lt;/P&gt;

&lt;P&gt;run the history command again to verify you deleted the password.&lt;/P&gt;

&lt;P&gt;I'm not sure if "any" will work, but if not, enter the IP of the ES server you are connecting from. &lt;BR /&gt;
Go back the phantom app configuration and try to create the server again. &lt;/P&gt;</description>
    <pubDate>Thu, 02 May 2019 12:54:32 GMT</pubDate>
    <dc:creator>jaxjohnny2000</dc:creator>
    <dc:date>2019-05-02T12:54:32Z</dc:date>
    <item>
      <title>Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405815#M58</link>
      <description>&lt;P&gt;I am getting a 403 error when adding a new server configuration to the Phantom app in Splunk.&lt;/P&gt;
&lt;P&gt;"There was an error adding the server configuration. Verify server's 'Allowed IPs' and authorization configuration.&lt;BR /&gt;Status: 403&lt;BR /&gt;Text: Forbidden"&lt;/P&gt;
&lt;P&gt;I have made sure that the Allowed IPs are set to 'any', and have regenerated the Authorization Configuration multiple times. Any idea what is going on? Anyone have a similar experience?&lt;/P&gt;</description>
      <pubDate>Sun, 07 Jun 2020 17:48:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405815#M58</guid>
      <dc:creator>aridday</dc:creator>
      <dc:date>2020-06-07T17:48:31Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405816#M59</link>
      <description>&lt;P&gt;I'm having the exact same issue. I can confirm that traffic TCP port 443 traffic is allowed between the Splunk server and the Phantom server.&lt;/P&gt;</description>
      <pubDate>Tue, 23 Apr 2019 17:45:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405816#M59</guid>
      <dc:creator>roayers</dc:creator>
      <dc:date>2019-04-23T17:45:13Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405817#M60</link>
      <description>&lt;P&gt;Two things to verify.  First, is your account associated with the phantom role?  If you are using local accounts, simply add your account in Settings/Access Control/Roles.  If you are using LDAP users, then map the groups using Authentication/Authentication Method/LDAP Settings/Map Groups. &lt;/P&gt;

&lt;P&gt;Next login CLI to your Phantom server and run the following command:&lt;/P&gt;

&lt;P&gt;curl -ku 'username:password' &lt;A href="https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs%5C?output_mode%5C=json"&gt;https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json&lt;/A&gt; -d value=0&lt;/P&gt;

&lt;P&gt;Finally clean up history&lt;BR /&gt;
run the history command from the cli prompt&lt;BR /&gt;
find the line number with your password in plain text&lt;BR /&gt;
Run the command: history -d %linenumber%&lt;/P&gt;

&lt;P&gt;run the history command again to verify you deleted the password.&lt;/P&gt;

&lt;P&gt;I'm not sure if "any" will work, but if not, enter the IP of the ES server you are connecting from. &lt;BR /&gt;
Go back the phantom app configuration and try to create the server again. &lt;/P&gt;</description>
      <pubDate>Thu, 02 May 2019 12:54:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405817#M60</guid>
      <dc:creator>jaxjohnny2000</dc:creator>
      <dc:date>2019-05-02T12:54:32Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405818#M61</link>
      <description>&lt;P&gt;What do you mean by clean up history? How exactly do we do that? &lt;/P&gt;</description>
      <pubDate>Tue, 20 Aug 2019 04:33:24 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405818#M61</guid>
      <dc:creator>grantccarlson</dc:creator>
      <dc:date>2019-08-20T04:33:24Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405819#M62</link>
      <description>&lt;P&gt;This is the history of the Linux operating system.  from the shell command line, type the command "history".  This shows the most recent commands typed into the shell.  If you put a password on the command line as a parameter, it will show in history.  you can either clear all the history, or just that one line.  To clear just the one line, find the line number with your password in plain text.  Then Run the command: history -d "linenumber" - (no quotes, just the line number you found running the history command. &lt;/P&gt;

&lt;P&gt;I use the history in Linux to save time by pressing either the up or down arrow on the keyboard.  So I only delete the one line with the password in it.  The rest I leave alone. &lt;/P&gt;</description>
      <pubDate>Tue, 20 Aug 2019 11:40:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405819#M62</guid>
      <dc:creator>jaxjohnny2000</dc:creator>
      <dc:date>2019-08-20T11:40:58Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405820#M63</link>
      <description>&lt;P&gt;You can also omit the the password and curl will prompt, thus eliminating the need to clear up the history.&lt;/P&gt;</description>
      <pubDate>Wed, 21 Aug 2019 14:22:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405820#M63</guid>
      <dc:creator>sam_splunk</dc:creator>
      <dc:date>2019-08-21T14:22:05Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405821#M64</link>
      <description>&lt;P&gt;Hi aridday, is that the full error message or is there more text below the "Text: Forbidden" part?&lt;/P&gt;</description>
      <pubDate>Thu, 22 Aug 2019 03:10:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405821#M64</guid>
      <dc:creator>sam_splunk</dc:creator>
      <dc:date>2019-08-22T03:10:42Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405822#M65</link>
      <description>&lt;P&gt;This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.&lt;/P&gt;

&lt;P&gt;The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.&lt;/P&gt;

&lt;P&gt;1) Let's start by installing the Phantom App for Splunk:&lt;/P&gt;

&lt;P&gt;&lt;IMG src="https://i.imgur.com/vrAOKIn.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;&lt;IMG src="https://i.imgur.com/0pQLmN1.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;2) Let's go ahead and add a user to the Phantom Role in Splunk:&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/11NzWZD.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;&lt;IMG src="https://i.imgur.com/TmnnEei.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;(assuming 'admin' will be creating doing the configuration)&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/Xeo8h9j.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;&lt;IMG src="https://i.imgur.com/BHYWKyn.png" alt="alt text" /&gt;&lt;BR /&gt;
(Don't forget to click 'Save' after adding the Phantom role!)&lt;/P&gt;

&lt;P&gt;Next, let's look our App:&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/sWGWjZd.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;Let's go to the Phantom Server Configuration:&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/cxXwvuJ.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/MgzQlw3.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;NOTE: If you are using Splunk Cloud, you &lt;EM&gt;cannot&lt;/EM&gt; disable SSL verification. Instead you will need to get a valid cert issued from a public CA.&lt;/STRONG&gt; &lt;/P&gt;

&lt;P&gt;Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:&lt;/P&gt;

&lt;BLOCKQUOTE&gt;
&lt;P&gt;curl -ku 'username:password' &lt;A href="https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs%5C?output_mode%5C=json"&gt;https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json&lt;/A&gt; -d value=0&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;So, I am going to type the following: &lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;curl -ku admin &lt;A href="https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs%5C?output_mode%5C=json"&gt;https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json&lt;/A&gt; -d value=0&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;Note that I changed "splunk" -&amp;gt; "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/nzMPC3t.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/irr6BLB.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;Okay... let's pop over to Phantom to get that side configured....&lt;/P&gt;

&lt;P&gt;First, we'll create a new automation user:&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/I0ENkW6.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;NOTE:&lt;/STRONG&gt; In the next screenshot I have configured an IP for &lt;EM&gt;my lab&lt;/EM&gt;. My configuration looks like this:&lt;BR /&gt;
SPLUNK: 192.168.54.22&lt;BR /&gt;
Phantom: 192.168.54.72&lt;BR /&gt;
Therefore, Phantom (.72) has to allow Splunk (.22).&lt;BR /&gt;
NOTE:&lt;STRONG&gt;your IP configs will almost certainly be different&lt;/STRONG&gt;&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/cn2woqY.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;After clicking 'Create', we'll need to click the newly created account to get our API key.&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/BIEjvt4.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/am2DBrA.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;When you click 'Save' it should validate the settings.&lt;BR /&gt;
&lt;IMG src="https://i.imgur.com/hjLzR8l.png" alt="alt text" /&gt;&lt;/P&gt;

&lt;P&gt;I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.  &lt;/P&gt;

&lt;P&gt;Hope this helps!&lt;/P&gt;

&lt;P&gt;Sam&lt;/P&gt;</description>
      <pubDate>Thu, 22 Aug 2019 17:35:01 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/405822#M65</guid>
      <dc:creator>sam_splunk</dc:creator>
      <dc:date>2019-08-22T17:35:01Z</dc:date>
    </item>
    <item>
      <title>Re: Error adding a Phantom Server configuration in the Phantom Splunk App.</title>
      <link>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/710581#M1670</link>
      <description>&lt;P&gt;"Hello, I really need help. Why is the 'Create Server' button in the 'APPSplunk App for SOAR' disabled? After installing this app on the Splunk Searchhead Cluster 9.3.1 through the Deployer, I still don't have a role named 'Phantom'. Please, I would really appreciate a response."&lt;/P&gt;&lt;P&gt;Let me know if you need anything else!&lt;/P&gt;</description>
      <pubDate>Tue, 04 Feb 2025 14:19:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-SOAR/Error-adding-a-Phantom-Server-configuration-in-the-Phantom/m-p/710581#M1670</guid>
      <dc:creator>saraomd93</dc:creator>
      <dc:date>2025-02-04T14:19:49Z</dc:date>
    </item>
  </channel>
</rss>

