This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.
The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.
1) Let's start by installing the Phantom App for Splunk:
2) Let's go ahead and add a user to the Phantom Role in Splunk:
(assuming 'admin' will be creating doing the configuration)
(Don't forget to click 'Save' after adding the Phantom role!)
Next, let's look our App:
Let's go to the Phantom Server Configuration:
We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.
Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
So, I am going to type the following:
curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
Okay... let's pop over to Phantom to get that side configured....
First, we'll create a new automation user:
NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
SPLUNK: 192.168.54.22
Phantom: 192.168.54.72
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
After clicking 'Create', we'll need to click the newly created account to get our API key.
Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
When you click 'Save' it should validate the settings.
I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.
Hope this helps!
Sam
... View more