- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I don't understand how to fix it.
App: Phantom -> Phantom Server Configuration:Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:
Settings > Access controls > Roles > Admin > Capabilities
And move phantom_read
, phantom_write
from Available capabilities to Selected capabilities
If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom
[verify_certs]
value = true (change to false)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.
If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export
Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:
Settings > Access controls > Roles > Admin > Capabilities
And move phantom_read
, phantom_write
from Available capabilities to Selected capabilities
If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom
[verify_certs]
value = true (change to false)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for clarity, the path is:
%splunk_home%/etc/apps/phantom/local/phantom.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"
can anyone help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.
Connectivity seems to be fine from both servers.
I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm getting the same error. Anyone figure out the solution:
Splunk App for SOAR Export Latest Version 4.3.13
There was an error adding the server configuration.
On SOAR: Verify server's 'Allowed IPs' and authorization configuration.
Error talking to Splunk: POST /servicesNS/nobody/phantom/storage/passwords: status code 500: b'{"messages":[{"type":"ERROR","text":"\\n In handler \'passwords\': Data could not be written: /nobody/phantom/passwords/credential::78a22ab111a4d706cbb4d830f19ea1b3d752f277:/password: $7$qAjGApYELkDTpOBFCFv+hnwTe6tSbTIAIk2b/s4q6GdFBw0mT6AQYQh85WYOruod9tt4ArrN0rjOHYBbesSJqjOjeOUqIjeYl7efAQ=="}]}'