Splunk SOAR (f.k.a. Phantom)

SOAR HTTP app to Cisco Secure Endpoint API


I'm trying to set up the HTTP app to access the CIsco Secure Endpoint API (v3).  I've generated the access token following the instructions found here.    I can send a curl request in POSTMAN, using the access token, to get organisation details.  So I know the access token is ok:




curl -s 'https://api.amp.cisco.com/v3/organizations?size=10' \
                --header "Authorization: Bearer eyJhbGciOiJ....."




When I enter the same value in the access_token field in the HTTP app and test connectivity, I always receive the following error status code:

error 401 Data from server: {"errors":["Missing token"]}

I'm not sure what to enter for the Type of Authentication Token, so maybe that's where I'm messing it up.  I think it should be Bearer, because that's the only thing in POSTMAN header other than the token itself.

Note that I haven't entered anything in any of the other authentication fields (username, password, url, Client ID, Client Secret).  And also - I get the same error if I don't enter anything in the access token field.  Basically, it's just ignored.

Labels (2)
0 Karma


Another solution that I would do to solve the problem would be with an executed actions in this case a code within a flow make the request through python code where the same url enter the token like this example

import requests url = 'https://api.amp.cisco.com/v3/organizations?size=10' headers = { 'Authorization': 'Bearer eyJhbGciOiJ.....' # Asegúrate de reemplazar esto con tu token real } # Realizar la petición GET response = requests.get(url, headers=headers) # Verificar si la petición fue exitosa (código de estado 200) if response.status_code == 200: # Imprimir la respuesta JSON print(response.json()) else: # Imprimir el código de estado y el mensaje de error en caso de falla print(f'Error: {response.status_code} - {response.text}')

0 Karma



Hello, apparently in SOAR the token section is optional, an idea would be that you do not enter anything in the token but you do enter the necessary credentials to carry out your request, in this case your username and password

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...