Splunk SOAR (f.k.a. Phantom)

Phantom App for Splunk: Error loading Phantom Server Configurations & Error HTTP certification verification?

test_qweqwe
Builder

Hi.
I don't understand how to fix it.

App: Phantom -> Phantom Server Configuration:
Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.

Labels (2)
1 Solution

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

View solution in original post

bob_miron
Engager

Hi,

Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.

If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export

Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem

Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.

vasdell
Engager

One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.

0 Karma

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

DEAD_BEEF
Builder

for clarity, the path is:

%splunk_home%/etc/apps/phantom/local/phantom.conf

0 Karma

oadiaobong
New Member

i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"

can anyone help

0 Karma

sebeling3
New Member

I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.

Connectivity seems to be fine from both servers.

I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...