Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

configure Phantom app in Splunk through RestApi

ucz350
Path Finder
‎01-14-2020 03:04 AM

Hi,

Trying to post the token and servername from the Phantomserver, into the Phantom app on the Splunk-server.

This answer: "https://answers.splunk.com/answers/739373/error-adding-a-phantom-server-configuration-in-the.html?ut..."
I have everything working except creating the server(adding token+servername) thorugh rest-api or equivalent.

Anyone knows how to do this?

Something like this:
curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/XXX

Similiar to:

curl -ku 'admin:pw' https://splunkserver:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=... -d value=0

Anyone who has done this already?

Labels (2)
Labels
Tags (1)
0 Karma
Reply

pbareiB_splunk
Splunk Employee
Splunk Employee
‎03-04-2020 12:10 AM

Hi,

I had the same problem and figured it out with some help.
You can do it with the following REST API request:

curl -k -u "admin:PASSWORD_HERE" --data '{"verify_certs":"false","enable_logging":"false","config":[{"ph-auth-token":"AUTH_TOKEN_HERE","server":"https://IP_OR_HOST","custom_name":"","default":false,"user":"","ph_auth_config_id":"193b2ffc-48fb-4087-bc75-c44184e7fa07","proxy":"","validate":true}],"accepted":"true","save":true}' https://localhost:8089/services/update_phantom_config?output_mode=json

With the assumption that you already installed the Splunk Phantom App and assign the phantom permissions to the admin user.

0 Karma
Reply

ucz350
Path Finder
‎01-14-2020 04:36 AM

Thanks for the response. The above method I am aware of. Was more referering of a way to do the above but automatically. Either thorugh rest-api or by configuring config files. The wanted end result is the same as what you have described above but an automated way of getting there basically.

0 Karma
Reply

ansusabu
Communicator
‎01-14-2020 04:27 AM

I didn't get your question. But I assume that you are trying to connect Splunk and Phantom through Phantom app in Splunk. For configuring Phantom in Splunk, goto phantom configuration and add the authorization token which you will get from Phantom.
You can get the authorization token from phantom:
goto Administration in main menu-> User Management-> user-> click on the 'automation' user., copy the authorization token and paste it in Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...