Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk SOAR access environment variables

JustntherSplker
Explorer
a month ago

We have a playbook which is making calls to SOAR REST API artifacts endpoint.

We are having to pass the auth token for the REST API call in the script as plain text which isn't ideal.

Given we haven't configured a vault/vault like solution (CA,Vault etc.) , 

1)We set a SOAR global environment variable and stored the value as a secret but how do we call this in our script?

Have tried looking at all possible attributes in the phantom library - Documentation is next to none for this - I also tried os.environ.get but custom variables are not going to be present in it. I am able to access value of variables like NO_PROXY and it returns the respective value.

Any ideas around this will help.

2)I am also trying to get the base URL for constructing the REST call 

Using build_phantom_rest_url or get_base_url is  returning the URL as local address 127.0.0.1 and not our specific URL.

In short, trying to access the values in the image within our custom function and haven't found a solution

Making a REST API call requires auth and that option is ruled out for getting the API token.

Any inputs will help. Thanks in advance.

Splunk_SOAR.png






Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JustntherSplker
Explorer
3 weeks ago

We worked with Splunk support to solve this. Recording the response since others might find it useful

1)phantom.get_base_url() helps access the URL set in the above screenshot (Base URL for Splunk SOAR) - Previous attempts did not work which is bizarre

2)Accessing environment variables

    import os

    import django 

    import sys

    

     os.environ.setdefault("DJANGO_SETTINGS_MODULE", "phantom_ui.settings")

    django.setup()

    

    from phantom_ui.ui.models import SystemSettings

    s = SystemSettings.get_settings()

    envVars = s.environment_variables

    phantom.debug(envVars)

If your variable is called abc, you can now access its value in a variable by

abcvalue = envVars['abc']['value']

3) If your environment variable is stored as a secret , step 2 returns a salted variable which is no good for the authentication. Use the below to decrypt it before usage. 

import encryption_helper

clear_text_password = encryption_helper.decrypt(abcvalue, 'Splunk>Phantom')


By using 2 and 3, you can programmatically access environment variables including secret tokens and avoid specifying plaintext auth creds in your code block / custom functions!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JustntherSplker
Explorer
3 weeks ago

We worked with Splunk support to solve this. Recording the response since others might find it useful

1)phantom.get_base_url() helps access the URL set in the above screenshot (Base URL for Splunk SOAR) - Previous attempts did not work which is bizarre

2)Accessing environment variables

    import os

    import django 

    import sys

    

     os.environ.setdefault("DJANGO_SETTINGS_MODULE", "phantom_ui.settings")

    django.setup()

    

    from phantom_ui.ui.models import SystemSettings

    s = SystemSettings.get_settings()

    envVars = s.environment_variables

    phantom.debug(envVars)

If your variable is called abc, you can now access its value in a variable by

abcvalue = envVars['abc']['value']

3) If your environment variable is stored as a secret , step 2 returns a salted variable which is no good for the authentication. Use the below to decrypt it before usage. 

import encryption_helper

clear_text_password = encryption_helper.decrypt(abcvalue, 'Splunk>Phantom')


By using 2 and 3, you can programmatically access environment variables including secret tokens and avoid specifying plaintext auth creds in your code block / custom functions!

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top