Solved: Phantom App for Splunk: Error loading Phantom Serv...

test_qweqwe · ‎07-09-2018

Hi.
I don't understand how to fix it.

App: Phantom -> Phantom Server Configuration:
Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.

test_qweqwe · ‎07-09-2018

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

View solution in original post

bob_miron · ‎07-28-2018

Hi,

Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.

If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export

Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem

Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.

vasdell · ‎01-25-2019

One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.

test_qweqwe · ‎07-09-2018

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

DEAD_BEEF · ‎06-01-2019

for clarity, the path is:

%splunk_home%/etc/apps/phantom/local/phantom.conf

oadiaobong · ‎03-22-2019

i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"

can anyone help

sebeling3 · ‎07-09-2018

I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.

Connectivity seems to be fine from both servers.

I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.

Tecumseh

I'm getting the same error. Anyone figure out the solution:

Splunk App for SOAR Export Latest Version 4.3.13

There was an error adding the server configuration.
On SOAR: Verify server's 'Allowed IPs' and authorization configuration.

Error talking to Splunk: POST /servicesNS/nobody/phantom/storage/passwords: status code 500: b'{"messages":[{"type":"ERROR","text":"\\n In handler \'passwords\': Data could not be written: /nobody/phantom/passwords/credential::78a22ab111a4d706cbb4d830f19ea1b3d752f277:/password: $7$qAjGApYELkDTpOBFCFv+hnwTe6tSbTIAIk2b/s4q6GdFBw0mT6AQYQh85WYOruod9tt4ArrN0rjOHYBbesSJqjOjeOUqIjeYl7efAQ=="}]}'

Phantom App for Splunk: Error loading Phantom Server Configurations & Error HTTP certification verification?

troubleshooting

using Phantom

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation