Splunk SOAR

configure Phantom app in Splunk through RestApi

ucz350
Path Finder

Hi,

Trying to post the token and servername from the Phantomserver, into the Phantom app on the Splunk-server.

This answer: "https://answers.splunk.com/answers/739373/error-adding-a-phantom-server-configuration-in-the.html?ut..."
I have everything working except creating the server(adding token+servername) thorugh rest-api or equivalent.

Anyone knows how to do this?

Something like this:
curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/XXX

Similiar to:

curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=... -d value=0

Anyone who has done this already?

Labels (2)
Tags (1)
0 Karma

pbareiB_splunk
Splunk Employee
Splunk Employee

Hi,

I had the same problem and figured it out with some help.
You can do it with the following REST API request:

curl -k -u "admin:PASSWORD_HERE" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"AUTH_TOKEN_HERE","server":"https://IP_OR_HOST","custom_name":"","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json

With the assumption that you already installed the Splunk Phantom App and assign the phantom permissions to the admin user.

0 Karma

ucz350
Path Finder

Thanks for the response. The above method I am aware of. Was more referering of a way to do the above but automatically. Either thorugh rest-api or by configuring config files. The wanted end result is the same as what you have described above but an automated way of getting there basically.

0 Karma

ansusabu
Communicator

I didn't get your question. But I assume that you are trying to connect Splunk and Phantom through Phantom app in Splunk. For configuring Phantom in Splunk, goto phantom configuration and add the authorization token which you will get from Phantom.
You can get the authorization token from phantom:
goto Administration in main menu-> User Management-> user-> click on the 'automation' user., copy the authorization token and paste it in Splunk

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...