This article applies to Splunk Phantom versions 4.6 , 4.5 , 4.2 , 4.1 , 4.0 , 3.5 , 3.0 , 2.1 , 2.0   The Active Directory/LDAP debug script is used to view a detailed output of the connection and authentication attempt between Splunk Phantom and an Active Directory instance. The script accesses the Splunk Phantom database and uses the Active Directory server configuration and credentials as configured in Splunk Phantom. For a copy of the debug script, open a Support case. WARNING: The debug script output will contain the Active Directory password in plain text. It is your responsibility to sanitize the report before sharing with unauthorized persons. Before running the script, verify the Splunk Phantom Active Directory settings are configured with the credentials intended for the debug script to use. In Splunk Phantom, select Administration > System Settings > Authentication. Verify the credentials listed in the Active Directory Settings fields. Click Save Changes. Run the Active Directory/LDAP connection and authentication debug script. Transfer the script "test_ldap.pyc" to the Phantom server. Phantom 2.1 and previous: Change the current user to apache. [root@localhost user]# sudo -u apache bash Phantom 2.1 and previous: Run the test_ldap.pyc script. [root@localhost user]# python2.7 test_ldap.pyc Phantom 3.0 to current: Change the current user to nginx. [root@localhost user]# sudo -u nginx bash Phantom 3.0 to current: Run the test_ldap.pyc script. [root@localhost user]# phenv python2.7 test_ldap.pyc The debug script output will contain the Active Directory password in plain text. It is your responsibility to sanitize the report before sharing with unauthorized persons. Below is an example output from the script in Splunk Phantom 3.0 showing a successful Active Directory connection: [root@localhost user]# sudo -u nginx bash bash-4.1$ phenv python2.7 test_ldap.pyc ldap_create ldap_url_parse_ext(ldap://dc1.corp.contoso.com) *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option ((17, 3), {}) *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option ((8, 0), {}) *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option ((20485, 10.0), {}) *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option ((20482, 10.0), {}) *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.simple_bind (('administrator@corp.contoso.com', 'PASSWORD', None, None), {}) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP dc1.corp.contoso.com:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 10.17.1.42:389 ldap_pvt_connect: fd: 4 tm: 10 async: 0 ldap_ndelay_on: 4 attempting to connect: connect errno: 115 ldap_int_poll: fd: 4 tm: 10 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_pvt_connect: 0 ldap_open_defconn: successful ldap_send_server_request *** ldap://dc1.corp.contoso.com - SimpleLDAPObject.result4 ((1, 1, -1, 0, 0, 0), {}) ldap_result ld 0x1676e00 msgid 1 wait4msg ld 0x1676e00 msgid 1 (timeout 10000000 usec) wait4msg continue ld 0x1676e00 msgid 1 all 1 ** ld 0x1676e00 Connections: * host: dc1.corp.contoso.com port: 389 (default) refcnt: 2 status: Connected last used: Thu Dec 1 16:00:38 2016 ** ld 0x1676e00 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1676e00 request count 1 (abandoned 0) ** ld 0x1676e00 Response Queue: Empty ld 0x1676e00 response count 0 ldap_chkResponseList ld 0x1676e00 msgid 1 all 1 ldap_chkResponseList returns ld 0x1676e00 NULL ldap_int_select read1msg: ld 0x1676e00 msgid 1 all 1 read1msg: ld 0x1676e00 msgid 1 message type bind read1msg: ld 0x1676e00 0 new referrals read1msg: mark request completed, ld 0x1676e00 msgid 1 request done: ld 0x1676e00 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed ... View more

This article describes a workaround when you run a playbook and see the "user parameter must be of type string" error, but the parameter is a string.   An example of this error is shown below: TypeError: Error in phantom.prompt(): user parameter must be of type string An example call that generates this error is shown below: phantom.prompt(user="support", message="Verify incident details", respond_in_mins=30, name="prompt_1", callback=prompt_1_callback) The issue can be caused by an import that changes what is considered a string, such as: import unicode_literals To resolve the issue, specify that the string values are strings using str(). For example: phantom.prompt(user=str("support"), message=str("Verify incident details"), respond_in_mins=30, name=str("prompt_1"), callback=prompt_1_callback) ... View more

NOTE: These steps were verified using Phantom version 4.2.7532 and Splunk Universal Forwarder version 7.2.6. Network port conflicts may arise when Splunk Phantom is installed on a system with an existing Splunk universal forwarder that is using default port settings. By default, the universal forwarder uses port 8088 for the HTTP event collector (HEC) and port 8089 for the REST API. Those are the same ports used by the Splunk instance that is bundled with Splunk Phantom, which results in conflicts when provisioning the bundled Splunk instance. Symptoms of this problem include an error in the Splunk Phantom wen interface when applying a license key ("Failed to update license: status"), and "ConnectionError", "AttributeError: status", and "Http400: status" messages in Splunk Phantom's wsgi.log file. This is because the bundled Splunk instance does not start due to the port conflicts, so Splunk Phantom cannot contact it to completely apply the license key. The steps to correct this involve selecting new ports for the Splunk universal forwarder to use by modifying Splunk and Splunk Phantom configuration files, aligning the value of the HEC token in the bundled Splunk instance with that in the Splunk Phantom search settings, and restarting services. Change the ports being used by the existing Splunk universal forwarder Select two available ports other than 8088 and 8089 for use by the existing Splunk UF HEC and REST API. Override the HEC port specification by editing or creating the {SPLUNK_UF_HOME}/etc/apps/splunk_httpinput/local/inputs.conf file and defining the [http] stanza and port attribute. For example: [http] port = <your-custom-HEC-port> Override the REST API port specification by editing or creating the {SPLUNK_UF_HOME}/etc/system/local/web.conf file and defining the [settings] stanza and mgmtHostPort attribute. For example: [settings] mgmtHostPort=127.0.0.1:<your-custom-REST-port> Restart the universal forwarder to apply the changes to the configuration files. {SPLUNK_UF_HOME}/bin/splunk restart Use the netstat command to verify the universal forwarder is no longer using ports 8088 and 8089 and that they are free. If they are in use then verify the configuration changes detailed above are correct. The absence of output from this command indicates the ports are free: netstat --numeric --listening | grep 808[89] Align the value of the HEC tokens Rename {PHANTOM_HOME}/splunk/etc/passwd to {PHANTOM_HOME}/splunk/etc/passwd.bak. Edit {PHANTOM_HOME}/splunk/etc/apps/splunk_httpinput/local/inputs.conf. Save the token attribute value from the [http://phantom-token] stanza. For example: [http://phantom-token] token = e0d171a1-641c-4ef9-873e-2b2d58ef0e8b Your token attribute value will be different from the example. Save the token attribute value, then delete the entire [http://phantom-token] stanza. After saving the file, ensure it is still owned by phantom and is in the group phantom. Open a Django shell: phenv python2.7 /opt/phantom/www/manage.py shell Run the following commands from the Django shell: from phantom_ui.ui.models.system import SystemSettings s = SystemSettings.get_settings() del s.search_settings['splunk']['local'] s.save() After running these commands, leave the Django shell open. Open a Bash shell and restart the Splunk instance bundled with Splunk Phantom {PHANTOM_HOME}/bin/phsvc restart splunk Run the following command: su - phantom --shell=/bin/bash -c "phenv python2.7 /opt/phantom/bin/insert_splunk_config_to_db.pyc" From the DJango shell, run the following commands: s = SystemSettings.get_settings() s.search_settings['splunk']['local']['hec']['token'] In the Django shell, run the following commands only if the output from the preceding command is blank: s.search_settings['splunk']['local']['hec']['token'] = 'token_saved_in_previous_step' s.save() Press CTRL-D to exit hte DJango shell. Edit {PHANTOM_HOME}/splunk/etc/apps/splunk_httpinput/local/inputs.conf and verify whether the [http://phantom-token] stanza exists. If not, add the following and save the file: [http://phantom=token] token = <token-saved-in-previous-step> At this point the value of the HEC token in the bundled Splunk configuration (/opt/phantom/splunk/etc/apps/splunk_httpinput/local/inputs.conf) matches the value of the HEC token in the Splunk Phantom search settings (search_settings['splunk']['local']['hec']['token']). Restart the Splunk instance bundled with Splunk Phantom: {PHANTOM_HOME}/bin/phsvc restart splunk ... View more

In some cases, the Splunk Phantom virtual appliance can lose its time synchronization with the system time. For example, some virtual machine management functions can be run that would revert the Splunk Phantom virtual appliance an older snapshot that is still running, thus pausing the virtual appliance and losing synchronization with the system time.   You can use any of the strategies on this page to work around this issue. Install VMWare Tools on the virtual appliance You can install the VMWare Tools configuration utility on the virtual appliance and synchronize it with the ESX host. In this scenario, the time is automatically synchronized whenever the host is resumed or reverted. Manually update the time on the host You can use the ntpdate command to force the date to be updated. Access the command line of the virtual appliance as root, then run the ntpdate command. For example: ntpdate -v -u 0.centos.pool.ntp.org​ Replace the NTP host or pool as desired. Install the VMWare Tools on your Splunk Phantom virtual machine In VMWare environments, you can install VMWare Tools configuration utility on your Splunk Phantom virtual machine. This causes the virtual machine to automatically synchronize the time with the physical host, assuming the physical host as NTP configured. Perform the following steps: Make sure NTP is properly configured on the physical host. In the VMWare management environment, install the VMWare Tools configuration utility on the virtual machine. This "inserts" a CD containing VMWare Tools into the virtual CD-ROM drive. Access the command line of virtual machine as the root user. Run the following command: mount /dev/cdrom /mnt Untar the file from the /mnt directory into the root user's home directory: [root@localhost]# cd ~ [root@localhost]# tar -xvf /mnt/VMWareTools-9.4.5-1598834.tar.gz [root@localhost]# cd vmware-tools-distrib/ Run the following command to start the installer, and follow the prompts to complete the installation: [root@localhost]# ./vmware-install.pl ... View more

This article provides an example of how to use the Splunk Phantom REST API to create multiple assets. This may be useful if you have a large number of similar asset types, such as firewalls, Windows servers, or vSphere servers. See Using the REST API reference for Splunk Phantom for more information. To create as asset in Splunk Phantom using the REST API, post a JSON object to a specific URL on the Splunk Phantom server.  TO see the contents of the JSON, you can manually create an example asset, then export the JSON using the API. The following script (tested with Python 2.7) exports all of your assets to JSON files in the current directory. Replace the host, username, and password with the actual values from your own environment: """ export_assets.py This script will go through the list of Assets in a Phantom server and create a .json file for each in the current directory """ import requests, json host = '10.16.0.201' #IP address or hostname of the Phantom server username = 'admin' password = 'password' verifycert = False #Default to not checking the validity of the SSL cert, since Phantom defaults to self-signed maxpages = 100 #Assume there are no more than 100 pages of results, to protect against an accidental loop baseurl='https://' + host + '/rest/asset?page=' #The base URL for a list of all assets, by page number currentpage = 0 if not verifycert: requests.packages.urllib3.disable_warnings() #If disabling SSL cert check, also disable the warnings assetids = [] while True: currenturl = baseurl + str (currentpage) r = requests.get(currenturl, auth=(username, password), verify = verifycert) results = r.json() pages = int (results['num_pages']) #Get the total number of pages, so we know how many to read currentpage = currentpage + 1 for asset in results['data']: assetids.append (asset['id']) #Save the asset ID for each asset, so we can fetch each one if (currentpage >= pages) or (currentpage >= maxpages): #If we have read all the pages or hit the limit, stop break baseurl='https://' + host + '/rest/asset/' #The base URL for an individual asset, by Asset ID for assetid in assetids: currenturl = baseurl + assetid #Append the Asset ID to the base URL r = requests.get(currenturl, auth=(username, password), verify = verifycert) results = r.json() filename = results['name'] + '.json' #Open a file for writing with the asset name for the filename and .json for an extension file = open(filename, 'w') file.write (json.dumps(results, indent=2, sort_keys=True)) #Write out the JSON in mostly-human-readable format Below is an example of the JSON file produced by the script: { "configuration": { "ingest": {}, "password": "vN9ExjcSq1GhkTzOmwwDTA==", "server": "10.16.0.151", "username": "root" }, "description": "", "disabled": false, "id": "3a15ae6f-1013-4143-82c1-a58c30a27bbb", "name": "labesxi1", "primary_owner": { "user_ids": [], "voting": 0 }, "product_name": "vSphere", "product_vendor": "VMware", "product_version": "", "secondary_owner": { "user_ids": [], "voting": 0 }, "tags": [ "" ], "token": null, "type": "virtualization", "version": 1 } You can edit the JSON file and change the fields as needed, such as the name, server, and password.  After making the desired changes, use the following script to post the JSON file to the correct URL: """ create-asset.py This script takes a JSON file representing a Phantom Asset, and creates the Asset on the server """ import requests, json, sys host = '10.16.0.201' #IP address or hostname of the Phantom server username = 'admin' password = 'password' verifycert = False #Default to not checking the validity of the SSL cert, since Phantom defaults to self-signed baseurl='https://' + host + '/rest/asset' #The base URL for posting to create an Asset if len(sys.argv) < 2: print 'Usage: ' + sys.argv[0] + ' [filename]' sys.exit (1) assetfilename = sys.argv[1] with open(assetfilename) as assetfile: assetjson = json.load(assetfile) if not verifycert: requests.packages.urllib3.disable_warnings() #If disabling SSL cert check, also disable the warnings #Post the JSON to the URL r = requests.post(baseurl, data = json.dumps(assetjson), auth=(username, password), verify = verifycert) print json.dumps(json.loads(r.text), indent=2, sort_keys=True) #Print the results from the server When you export an asset using the API, you get all the fields saved for that asset, including some internal fields that you don't need to specify when you create an asset. Field Description id Each asset is assigned an ID when the asset is created. If you use the JSON file to create a new asset, the existing ID is ignored. password If you use the JSON file to create a new asset, the existing encrypted password causes the creation of the new asset to fail authentication. You must replace the encrypted password with a clear text password.   The minimum number of fields required to create an asset depends on the asset type. Some assets may only require a name, vendor, and product, while others may also require several additional fields. The following example shows the minimum field in the JSON for a vSphere asset: { "configuration": { "server": "10.16.0.151", "username": "root", "password": "password" }, "name": "labesxi1", "product_name": "vSphere", "product_vendor": "VMware" } You can edit this file to change the name and IP address, the post it to create a new asset. However, this requires you to edit and post the file once for each asset. An alternative for creating a large number of similar assets is to use a CSV file. For example: "name","product_name","product_vendor","configuration:server","configuration:username","configuration:password" "labesxi1","vSphere","VMware","10.16.0.151","root","password" "labesxi2","vSphere","VMware","10.16.0.152","root","password" "labesxi3","vSphere","VMware","10.16.0.153","root","password" "labesxi4","vSphere","VMware","10.16.0.154","root","password" "labesxi5","vSphere","VMware","10.16.0.155","root","password" "labesxi6","vSphere","VMware","10.16.0.156","root","password" "labesxi7","vSphere","VMware","10.16.0.157","root","password" "labesxi8","vSphere","VMware","10.16.0.158","root","password" "labesxi9","vSphere","VMware","10.16.0.159","root","password" "labesxi10","vSphere","VMware","10.16.0.160","root","password" We can write a script that will create all of these assets at once. The column names in the first line are very important for the script, as they represent the JSON variable names.  The name, product_name, and product_vendor parameters are common to every asset. The server, username, and password parameters are specific to the asset type and are in a sub-list named configuration.  Hence, the server is referred to as configuration:server. The following script reads the CSV and creates the assets: """ create_assets_from_csv.py This script takes a CSV file containing parameters needed to create multiple Phantom Assets """ import requests, json, sys, csv host = '10.16.0.201' #IP address or hostname of the Phantom server username = 'admin' password = 'password' verifycert = False #Default to not checking the validity of the SSL cert, since Phantom defaults to self-signed baseurl='https://' + host + '/rest/asset' #The base URL for posting to create an Asset if len(sys.argv) < 2: print 'Usage: ' + sys.argv[0] + ' [filename]' sys.exit (1) csvfilename = sys.argv[1] header = [] rows=[] with open(csvfilename) as csvfile: reader = csv.reader(csvfile) first_row = True for row in reader: if first_row: header = row #save the header row #got header first_row = False continue if not row: continue rows.append(row) #save the data rows into a list if not verifycert: requests.packages.urllib3.disable_warnings() #If disabling SSL cert check, also disable the warnings for row in rows: #loop through the data rows asset = {} asset['configuration'] = {} for i, column in enumerate(header): #loop again for each header column print column + " = " + row[i] if column.startswith('configuration:'): #if the column name starts with configuration:, stick it under the configuration list subcolumn = column.split('configuration:',1)[1] asset['configuration'][subcolumn] = row[i] else: asset[column] = row[i] #otherwise add the variable to the top level of the JSON print json.dumps(asset, indent=2, sort_keys=True) #pretty-print the JSON we made #post the JSON r = requests.post(baseurl, data = json.dumps(asset), auth = (username, password), verify = verifycert) #pretty-print the JSON result from the server print json.dumps(json.loads(r.text), indent=2, sort_keys=True) print For a different asset type, create a separate CSV with the correct header line for that asset type, and one row for each asset. ... View more