Splunk phantom rest api how to#
This is a simple script that shows how to take a CSV file that represents some activity and uses it to generate containers which will be called "incidents" and artifacts which will be called "events" in Phantom. A new token will be provided and the old token will no longer be accepted. You can click on the RE-GENERATE AUTH TOKEN button.
If the token is compromised or needs to be re-provisioned at any point.
This token is only valid from the associated IP address provided in the USER EDIT panel.Ĭontains the URL that can be used to POST to this phantom instance. "ph-auth-token": "cs76HmsNcWjkd6kWmGzUa18LcbtQx95vMW1bsdeP7gU=",Ĭontains the generated authorization token. Cut and paste this JSON formatted data and provide it to your script or application that will be sending the REST requests.
You can view the token and other configuration information in the Authentication Configuration for REST API panel by clicking on the user name you just created. If you wish to have a more restricted set of permissions for a certain playbook or activity, create a role with the desired permissions and assign that instead. The default Automation role is provided for this purpose and has a broad set of permissions that allows most activities that a service account might need. Choose one or more roles for the new user.Use any for unrestricted access, a single IP or a single netmask. Provide a user name and fill in the Allowed IPs.From the Main Menu, select Administration.Log in to Splunk Phantom as an administrative user.This user and any other automation type users are service accounts that provide access to the REST API with customizable restrictions. Use the automation user provided in Splunk Phantom by default to acquire an authorization token. See the sample Python script below in the "Provisioning an Authorization Token" section for an example using requests with ph-auth-token in the HTTP headers.Ĭurl -u ":authToken" Provisioning an authorization token
Splunk phantom rest api password#
Using the token in the password field of the request with no username allows rest access without requiring a valid Splunk Phantom user. Requests.get('', auth=('admin', 'password'))Īuthentication can also be provided in the -u "username:password" įor token based authentication, the token can be provided in the URL, or ph-auth-token must be present in the HTTP headers. HTTP Basic auth for user based authentication can be easily performed by the Python requests module: Some REST API calls require user based authentication, for example, deleting records. User and token based authentication methods exist. REST API requests must be performed over HTTPS, and only authorized users and devices are allowed. The Splunk Phantom platform supports RESTful APIs in order to create, update, and selectively remove objects from the system. Using the REST API reference for Splunk Phantom
0 kommentar(er)
