Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Set global environment variables

You can set environment variables that apply globally across the runtime environment to manage proxies or other features. You can also override or provide these variables on a per-app basis in the app advanced configuration. Changes to global environment settings will not be applied until the platform is restarted.

To make changes to the global environment:

  1. From the main menu, select Administration.
  2. Click Administration Settings > Environment Settings.
  3. Click +Variable to add a new environment variable.
  4. In the Name field, specify HTTP_PROXY, HTTPS_PROXY, or NO_PROXY depending on the type of proxy connection. These environment variables are read by all processes and affect the entire product including external search connections, app and asset connections, and requests made from within playbooks.
  5. In the Value field, include the following depending on the type of proxy configuration. Wildcards are not supported.
    1. HTTP and HTTPS proxy configurations: protocol, hostname or IP address, and the port of the proxy server. For example,
      <protocol>://<hostname/IP>:<port>
    2. NO_PROXY configurations: IP address, hostname, or domain of the asset.
    3. (Conditional) If the proxy server requires authentication, consider the following items:
    • <scheme>://[<username>[:<password>]@]<host>[:port]> is the scheme (http or https), optional username and password, host name or IP address, and optional port number used to connect to the proxy server.
    • The scheme and host are required.
    • If using a proxy server that requires authentication may need a service account on the proxy server.
    • If authentication credentials (username/password) are specified, the "secret" box should be selected so that the username and password are stored in encrypted format.
    • If port is not specified it defaults to port 80 when the scheme is http, and port 443 when the scheme is https.
  6. Check Secret to encrypt the Value field and stop it from being displayed.

When configuring the system to use an HTTP or HTTPS proxy, Splunk Phantom requires that you except calls to the loopback interface from the proxy list. You must set the environment variable '''NO_PROXY''' to include 127.0.0.1, localhost, and localhost.localdomain so that REST calls can be made on the loopback interface without being diverted to the proxy.

Apply environment variables to individual assets

You can also apply environment variables to configured assets individually. The asset environment variables take precedence over global environment variables. For more information, see Configure environment variables for a asset.

Multi-tenancy and environment variables

When multi-tenancy is enabled, you can choose to set specific environment variables per tenant. To set specific environment variables per tenant, select the tenant you want to set the environment variables for in the Tenant drop-down menu on the Environment Settings screen. For more information on enabling and using multi-tenancy, see Configure multiple tenants on your instance.

When multi-tenancy is enabled, per-asset variables take precedence over per-tenant variables and per-tenant variables take precedence over global environment variables. When multi-tenancy is not enabled, per-asset environment variables take precedence over global environment variables.

Last modified on 07 September, 2021
Manage your organization's credentials with a password vault   Set the global action concurrency limit

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters