Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

configure Phantom app in Splunk through RestApi

ucz350
Path Finder
‎01-14-2020 03:04 AM

Hi,

Trying to post the token and servername from the Phantomserver, into the Phantom app on the Splunk-server.

This answer: "https://answers.splunk.com/answers/739373/error-adding-a-phantom-server-configuration-in-the.html?ut..."
I have everything working except creating the server(adding token+servername) thorugh rest-api or equivalent.

Anyone knows how to do this?

Something like this:
curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/XXX

Similiar to:

curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=... -d value=0

Anyone who has done this already?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

pbareiB_splunk
Splunk Employee
Splunk Employee
‎03-04-2020 12:10 AM

Hi,

I had the same problem and figured it out with some help.
You can do it with the following REST API request:

curl -k -u "admin:PASSWORD_HERE" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"AUTH_TOKEN_HERE","server":"https://IP_OR_HOST","custom_name":"","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json

With the assumption that you already installed the Splunk Phantom App and assign the phantom permissions to the admin user.

0 Karma
Reply

ucz350
Path Finder
‎01-14-2020 04:36 AM

Thanks for the response. The above method I am aware of. Was more referering of a way to do the above but automatically. Either thorugh rest-api or by configuring config files. The wanted end result is the same as what you have described above but an automated way of getting there basically.

0 Karma
Reply

ansusabu
Communicator
‎01-14-2020 04:27 AM

I didn't get your question. But I assume that you are trying to connect Splunk and Phantom through Phantom app in Splunk. For configuring Phantom in Splunk, goto phantom configuration and add the authorization token which you will get from Phantom.
You can get the authorization token from phantom:
goto Administration in main menu-> User Management-> user-> click on the 'automation' user., copy the authorization token and paste it in Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...