invalid token error while communicating through r...

rajafarhat16 · ‎01-03-2020

Crypt · ‎12-01-2020

Not OP but my issue was that I'd allowed the wrong IP address. I'd discounted this as a possibility but when I checked the logs on the Phantom server (/var/log/nginx/access.log) I found that the IP of my Splunk server was not what I'd expected (vitulisation messiness).

Thanks to the others in this thread.

cblumer_splunk · ‎01-07-2020

Areas to check:

Automation user on the Phantom side used for the Splunk integration - check the "Allowed IPs" config, this needs to allow for the Splunk search head to communicate with the Phantom host to create new containers/artifacts via the Forwarding Config
Make sure you're entering the entire 'ph-auth-token' value on the Phantom Server Configuration
Check the $splunk_home/var/log/splunk/phantom_configuration.log file for more details

Please post more information to aid in finding a fix.

rajafarhat16 · ‎01-05-2020

can anyone here to help me in this regard ?

sam_splunk · ‎01-06-2020

Can you provide more details on what configuration you have set on both sides? Also have you checked out: https://my.phantom.us/4.5/docs/admin/splunk ?

rajafarhat16 · ‎01-06-2020

thanks i solved my issue

sam_splunk · ‎01-07-2020

Would you be able to post the details of your fix in case anyone else runs across the same problem?

invalid token error while communicating through rest API with phantom using splunk

configuration

development

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases