Splunk SOAR (f.k.a. Phantom)

configure Phantom app in Splunk through RestApi

Path Finder


Trying to post the token and servername from the Phantomserver, into the Phantom app on the Splunk-server.

This answer: "https://answers.splunk.com/answers/739373/error-adding-a-phantom-server-configuration-in-the.html?ut..."
I have everything working except creating the server(adding token+servername) thorugh rest-api or equivalent.

Anyone knows how to do this?

Something like this:
curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/XXX

Similiar to:

curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=... -d value=0

Anyone who has done this already?

Labels (2)
Tags (1)
0 Karma

Splunk Employee
Splunk Employee


I had the same problem and figured it out with some help.
You can do it with the following REST API request:

curl -k -u "admin:PASSWORD_HERE" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"AUTH_TOKEN_HERE","server":"https://IP_OR_HOST","custom_name":"","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json

With the assumption that you already installed the Splunk Phantom App and assign the phantom permissions to the admin user.

0 Karma

Path Finder

Thanks for the response. The above method I am aware of. Was more referering of a way to do the above but automatically. Either thorugh rest-api or by configuring config files. The wanted end result is the same as what you have described above but an automated way of getting there basically.

0 Karma


I didn't get your question. But I assume that you are trying to connect Splunk and Phantom through Phantom app in Splunk. For configuring Phantom in Splunk, goto phantom configuration and add the authorization token which you will get from Phantom.
You can get the authorization token from phantom:
goto Administration in main menu-> User Management-> user-> click on the 'automation' user., copy the authorization token and paste it in Splunk

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...