Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

configure Phantom app in Splunk through RestApi

ucz350
Path Finder
‎01-14-2020 03:04 AM

Hi,

Trying to post the token and servername from the Phantomserver, into the Phantom app on the Splunk-server.

This answer: "https://answers.splunk.com/answers/739373/error-adding-a-phantom-server-configuration-in-the.html?ut..."
I have everything working except creating the server(adding token+servername) thorugh rest-api or equivalent.

Anyone knows how to do this?

Something like this:
curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/XXX

Similiar to:

curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=... -d value=0

Anyone who has done this already?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

pbareiB_splunk
Splunk Employee
Splunk Employee
‎03-04-2020 12:10 AM

Hi,

I had the same problem and figured it out with some help.
You can do it with the following REST API request:

curl -k -u "admin:PASSWORD_HERE" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"AUTH_TOKEN_HERE","server":"https://IP_OR_HOST","custom_name":"","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json

With the assumption that you already installed the Splunk Phantom App and assign the phantom permissions to the admin user.

0 Karma
Reply

ucz350
Path Finder
‎01-14-2020 04:36 AM

Thanks for the response. The above method I am aware of. Was more referering of a way to do the above but automatically. Either thorugh rest-api or by configuring config files. The wanted end result is the same as what you have described above but an automated way of getting there basically.

0 Karma
Reply

ansusabu
Communicator
‎01-14-2020 04:27 AM

I didn't get your question. But I assume that you are trying to connect Splunk and Phantom through Phantom app in Splunk. For configuring Phantom in Splunk, goto phantom configuration and add the authorization token which you will get from Phantom.
You can get the authorization token from phantom:
goto Administration in main menu-> User Management-> user-> click on the 'automation' user., copy the authorization token and paste it in Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...