Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Manage your organization's credentials with a password vault

Use credential vaults to centrally manage and monitor credential usage in your organization. supports the following password vaults:

  • Hashicorp Vault
  • CyberArk Enterprise Password Vault
  • Thycotic Secret Server

As an administrator, you can configure to retrieve credentials from these vaults and use them in assets or use them as a client to other identity providers such as LDAP and OpenID.

Use Hashicorp Vault with

supports Hashicorp Vault's KV store REST API version 2.

To use Hashicorp Vault with , perform the following steps:

  1. From the main menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Get the URL and Token from your Hashicorp administrator.
  4. Select the Verify server certificate checkbox to verify that the HTTPS certificate is trusted. If the certificate is not trusted by default, see Manage the certificate store for information about adding your own trusted certificate.
  5. Click Save Changes.

Once you have Hashicorp access configured, you need to know the paths and names of the secrets you want to use from the Hashicorp Vault. You can use Hashicorp to supply credentials under OpenID and LDAP authentication configuration and with assets.

Use Hashicorp to provide credentials during authentication configuration

You can use Hashicorp to automatically supply credentials under OpenID and LDAP authentication configuration.

  1. From the main menu, select User Management.
  2. Select Authentication.
  3. Select an identity provider such as LDAP.
  4. Toggle the LDAP switch to enable LDAP authentication.
  5. Check the Manage password using Hashicorp Vault check box.
  6. Provide the value and key you want to retrieve from the vault.
  7. (Optional) Click Test Authentication to verify authentication.
  8. Click Save Changes.

Use Hashicorp to provide credentials with assets

You can use Hashicorp to automatically supply credentials when working with assets.

  1. From the main menu, select Apps.
  2. In the list of apps, find one to configure such as the Palo Alto Networks Firewall and click Configure New Asset.
  3. Open the Asset Settings tab for that asset.
  4. Click Advanced to expand the advanced configuration section.
  5. In the Credential Management section, select the fields you want to get from Hashicorp Vault, and the path and key to use. For example, you can specify /secret/autofocus in the Path field and apikey in the Key field to retrieve an API key used to authenticate to the AutoFocus service.
  6. Click Save.

Use CyberArk with

Integrate with CyberArk's Vault feature to retrieve passwords or other fields for assets. This allows you to utilize CyberArk account management features to change passwords on managed products and services without having to manually update assets after a password change.

For security purposes, utilizing CyberArk can greatly simplify password management but may not significantly change the security stance of the server. would no longer be the primary store for CyberArk-managed account passwords, but still has the ability to retrieve the same passwords from CyberArk in order to authenticate itself to other resources. Therefore, someone with administrative control over the server can gain access to those passwords.

Installing CyberArk on the server must be performed by a CyberArk administrator following the CyberArk documentation. was tested with the CARKaim-9.70.0.3.x86_64.rpm CyberArk installer package.

Perform the following tasks to use CyberArk with :

  1. From the main menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Select Cyberark from the drop-down list in the Manager field. The CyberArk option in the drop-down list is inactive until the CyberArk components are installed. determines the presence of CyberArk in your environment by looking for the /opt/CARKaim directory.
  4. Click Save Changes.

After the CyberArk options become visible, check the Enable credential management at startup check box to have the watchdogd daemon start CyberArk when is started. This is useful if you have disabled the system from starting CyberArk by removing the startup file from /etc/init.d.

To require a administrator to log in to perform an action in before CyberArk is available after a system restart, uncheck Enable credential management at startup and click Save Changes. In this situation, an administrator is someone who has the specific Administrator role. Click Authorize to require the logged-in administrative user to supply their own password to re-authenticate themselves, and then the credential management service will be started.

To use CyberArk to automatically supply credentials under authentication configuration, perform the following steps:

  1. From the main menu, select User Management.
  2. Select Authentication.
  3. Select an identity provider such as LDAP.
  4. Toggle the LDAP switch to enable LDAP authentication.
  5. Check the Manage password using CyberArk check box.
  6. Fill in the CyberArk Safe, Safe Path, and Object Name fields the same way you do for an Asset to select the CyberArk object that CyberArk is going to use to get the password field value.
  7. Click Save Changes.

Use Thycotic Secret Server with

can use Thycotic's API to access secrets managed by Secret Server. Usernames and passwords can be stored in Thycotic Secret Server for both users and assets which require a login to use.

In order for to use secrets managed by Thycotic Secret Server you must provide:

  • The URL to your organization's Thycotic Secret Server. Depending on your organization's DNS configuration, you may need to include the port number.
    https://<your.organization's.secret.server>:<port number>
  • The username and password of the account which will retrieve secrets using the API.
  • Optional: The Organization ID set in Secret Server for use in the Thycotic Secret Server API.

These values are used to make an oauth2 token for Thycotic Secret Server. Once authenticated, uses the SearchSecretsByFolder API to access the managed secrets.

Set the login secret in Thycotic Secret Server

You will need to setup the login information in Secret Server before it can be used to access . For more information on Thycotic Secret Server, see the documentation on the Thycotic website.

  1. Create the required folders.
  2. Use the Create Secret widget, selecting the template as Password.
  3. Enter the required items in the mandatory fields of secret and Password.

Set the Thycotic Secret Server settings in

Add the required information to create the oauth2 token for Thycotic Secret Server in 's administration settings. This token is for connecting to Thycotic Secret Server.

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Select Thycotic Secret Server from the drop-down list in the Manager field.
  4. Set the URL for your Thycotic Secret Server instance.
  5. Specify the username and password will use to access secrets.
  6. Optional: Set the organization id.
  7. Click Save Changes.

Add the authentication settings in User Management. These will be the actual secrets for each user or asset. Only LDAP authentication is supported.

  1. From the Main Menu, select Administration.
  2. Select User Management > Authentication.
  3. Select the LDAP tab.
  4. Set LDAP to ON.
  5. Add the information for your LDAP provider, server, domain, usernames, and passwords.
  6. Check Manage password using Thycotic Secret Server.
  7. Add the Folder, Key, and Thycotic FieldName that store the user credentials.
  8. Test your LDAP integration by clicking Test Authentication.

For more information about configuring LDAP see Configure single sign-on authentication for .

If you have assets which require logins and those logins are managed by Thycotic Secret Server, then you need to set credential management in the asset's configuration, in Apps > <Asset Name> > Asset Settings > Advanced.

Last modified on 05 September, 2023
Run playbooks in parallel with vertical scaling   Set global environment variables

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters