Splunk SOAR (f.k.a. Phantom)

Error adding a Phantom Server configuration in the Phantom Splunk App.

aridday
Engager

I am getting a 403 error when adding a new server configuration to the Phantom app in Splunk.

"There was an error adding the server configuration. Verify server's 'Allowed IPs' and authorization configuration.
Status: 403
Text: Forbidden"

I have made sure that the Allowed IPs are set to 'any', and have regenerated the Authorization Configuration multiple times. Any idea what is going on? Anyone have a similar experience?

Labels (1)
0 Karma
1 Solution

sam_splunk
Splunk Employee
Splunk Employee

This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.

The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.

1) Let's start by installing the Phantom App for Splunk:

alt text

alt text

2) Let's go ahead and add a user to the Phantom Role in Splunk:
alt text

alt text

(assuming 'admin' will be creating doing the configuration)
alt text

alt text
(Don't forget to click 'Save' after adding the Phantom role!)

Next, let's look our App:
alt text

Let's go to the Phantom Server Configuration:
alt text

We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
alt text

NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.

Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:

curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

So, I am going to type the following:

curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\... -d value=0

Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
alt text

Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
alt text

Okay... let's pop over to Phantom to get that side configured....

First, we'll create a new automation user:
alt text

NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
SPLUNK: 192.168.54.22
Phantom: 192.168.54.72
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
alt text

After clicking 'Create', we'll need to click the newly created account to get our API key.
alt text

Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
alt text

When you click 'Save' it should validate the settings.
alt text

I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.

Hope this helps!

Sam

View solution in original post

sam_splunk
Splunk Employee
Splunk Employee

This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.

The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.

1) Let's start by installing the Phantom App for Splunk:

alt text

alt text

2) Let's go ahead and add a user to the Phantom Role in Splunk:
alt text

alt text

(assuming 'admin' will be creating doing the configuration)
alt text

alt text
(Don't forget to click 'Save' after adding the Phantom role!)

Next, let's look our App:
alt text

Let's go to the Phantom Server Configuration:
alt text

We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
alt text

NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.

Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:

curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

So, I am going to type the following:

curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\... -d value=0

Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
alt text

Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
alt text

Okay... let's pop over to Phantom to get that side configured....

First, we'll create a new automation user:
alt text

NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
SPLUNK: 192.168.54.22
Phantom: 192.168.54.72
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
alt text

After clicking 'Create', we'll need to click the newly created account to get our API key.
alt text

Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
alt text

When you click 'Save' it should validate the settings.
alt text

I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.

Hope this helps!

Sam

sam_splunk
Splunk Employee
Splunk Employee

Hi aridday, is that the full error message or is there more text below the "Text: Forbidden" part?

0 Karma

jaxjohnny2000
Builder

Two things to verify. First, is your account associated with the phantom role? If you are using local accounts, simply add your account in Settings/Access Control/Roles. If you are using LDAP users, then map the groups using Authentication/Authentication Method/LDAP Settings/Map Groups.

Next login CLI to your Phantom server and run the following command:

curl -ku 'username:password' https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify... -d value=0

Finally clean up history
run the history command from the cli prompt
find the line number with your password in plain text
Run the command: history -d %linenumber%

run the history command again to verify you deleted the password.

I'm not sure if "any" will work, but if not, enter the IP of the ES server you are connecting from.
Go back the phantom app configuration and try to create the server again.

0 Karma

grantccarlson
New Member

What do you mean by clean up history? How exactly do we do that?

0 Karma

jaxjohnny2000
Builder

This is the history of the Linux operating system. from the shell command line, type the command "history". This shows the most recent commands typed into the shell. If you put a password on the command line as a parameter, it will show in history. you can either clear all the history, or just that one line. To clear just the one line, find the line number with your password in plain text. Then Run the command: history -d "linenumber" - (no quotes, just the line number you found running the history command.

I use the history in Linux to save time by pressing either the up or down arrow on the keyboard. So I only delete the one line with the password in it. The rest I leave alone.

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

You can also omit the the password and curl will prompt, thus eliminating the need to clear up the history.

0 Karma

roayers
Explorer

I'm having the exact same issue. I can confirm that traffic TCP port 443 traffic is allowed between the Splunk server and the Phantom server.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...