Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error adding a Phantom Server configuration in the Phantom Splunk App.

aridday
Engager
‎04-11-2019 09:06 AM

I am getting a 403 error when adding a new server configuration to the Phantom app in Splunk.

"There was an error adding the server configuration. Verify server's 'Allowed IPs' and authorization configuration.
Status: 403
Text: Forbidden"

I have made sure that the Allowed IPs are set to 'any', and have regenerated the Authorization Configuration multiple times. Any idea what is going on? Anyone have a similar experience?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-22-2019 10:35 AM

This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.

The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.

1) Let's start by installing the Phantom App for Splunk:

alt text

alt text

2) Let's go ahead and add a user to the Phantom Role in Splunk:
alt text

alt text

(assuming 'admin' will be creating doing the configuration)
alt text

alt text
(Don't forget to click 'Save' after adding the Phantom role!)

Next, let's look our App:
alt text

Let's go to the Phantom Server Configuration:
alt text

We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
alt text

NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.

Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:

curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

So, I am going to type the following:

curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\... -d value=0

Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
alt text

Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
alt text

Okay... let's pop over to Phantom to get that side configured....

First, we'll create a new automation user:
alt text

NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
SPLUNK: 192.168.54.22
Phantom: 192.168.54.72
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
alt text

After clicking 'Create', we'll need to click the newly created account to get our API key.
alt text

Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
alt text

When you click 'Save' it should validate the settings.
alt text

I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.

Hope this helps!

Sam

View solution in original post

Reply
Solved! Jump to solution
Solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-22-2019 10:35 AM

This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.

The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.

1) Let's start by installing the Phantom App for Splunk:

alt text

alt text

2) Let's go ahead and add a user to the Phantom Role in Splunk:
alt text

alt text

(assuming 'admin' will be creating doing the configuration)
alt text

alt text
(Don't forget to click 'Save' after adding the Phantom role!)

Next, let's look our App:
alt text

Let's go to the Phantom Server Configuration:
alt text

We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
alt text

NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.

Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:

curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

So, I am going to type the following:

curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\... -d value=0

Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
alt text

Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
alt text

Okay... let's pop over to Phantom to get that side configured....

First, we'll create a new automation user:
alt text

NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
SPLUNK: 192.168.54.22
Phantom: 192.168.54.72
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
alt text

After clicking 'Create', we'll need to click the newly created account to get our API key.
alt text

Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
alt text

When you click 'Save' it should validate the settings.
alt text

I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.

Hope this helps!

Sam

Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-21-2019 08:10 PM

Hi aridday, is that the full error message or is there more text below the "Text: Forbidden" part?

0 Karma
Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎05-02-2019 05:54 AM

Two things to verify. First, is your account associated with the phantom role? If you are using local accounts, simply add your account in Settings/Access Control/Roles. If you are using LDAP users, then map the groups using Authentication/Authentication Method/LDAP Settings/Map Groups.

Next login CLI to your Phantom server and run the following command:

curl -ku 'username:password' https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify... -d value=0

Finally clean up history
run the history command from the cli prompt
find the line number with your password in plain text
Run the command: history -d %linenumber%

run the history command again to verify you deleted the password.

I'm not sure if "any" will work, but if not, enter the IP of the ES server you are connecting from.
Go back the phantom app configuration and try to create the server again.

0 Karma
Reply
Solved! Jump to solution

grantccarlson
New Member
‎08-19-2019 09:33 PM

What do you mean by clean up history? How exactly do we do that?

0 Karma
Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎08-20-2019 04:40 AM

This is the history of the Linux operating system. from the shell command line, type the command "history". This shows the most recent commands typed into the shell. If you put a password on the command line as a parameter, it will show in history. you can either clear all the history, or just that one line. To clear just the one line, find the line number with your password in plain text. Then Run the command: history -d "linenumber" - (no quotes, just the line number you found running the history command.

I use the history in Linux to save time by pressing either the up or down arrow on the keyboard. So I only delete the one line with the password in it. The rest I leave alone.

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎08-21-2019 07:22 AM

You can also omit the the password and curl will prompt, thus eliminating the need to clear up the history.

0 Karma
Reply
Solved! Jump to solution

roayers
Explorer
‎04-23-2019 10:45 AM

I'm having the exact same issue. I can confirm that traffic TCP port 443 traffic is allowed between the Splunk server and the Phantom server.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...