Splunk SOAR (f.k.a. Phantom)

SOAR HTTP app to Cisco Secure Endpoint API

m22oswald
Engager

I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:

 

 

 

curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \
                --header "Authorization: Bearer eyJhbGciOiJ....."

 

 

 

When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code:

error 401 Data from server: {"errors":["Missing token"]}

I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself.

Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.

Labels (2)
0 Karma

Carloszavala121
Explorer

Another solution that I would do to solve the problem would be with an executed actions in this case a code within a flow make the request through python code where the same url enter the token like this example

import requests url = 'https://api.amp.cisco.com/v3/organizations?size=10' headers = { 'Authorization': 'Bearer eyJhbGciOiJ.....' # Asegúrate de reemplazar esto con tu token real } # Realizar la petición GET response = requests.get(url, headers=headers) # Verificar si la petición fue exitosa (código de estado 200) if response.status_code == 200: # Imprimir la respuesta JSON print(response.json()) else: # Imprimir el código de estado y el mensaje de error en caso de falla print(f'Error: {response.status_code} - {response.text}')

0 Karma

Carloszavala121
Explorer

Carloszavala121_0-1705621107014.png

Hello, apparently in SOAR the token section is optional, an idea would be that you do not enter anything in the token but you do enter the necessary credentials to carry out your request, in this case your username and password

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...