Splunk® Phantom (Legacy)

Administer Splunk Phantom

Acrobat logo Download manual as PDF


Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Acrobat logo Download topic as PDF

Configure search in Splunk Phantom

Splunk Phantom uses an embedded, preconfigured version of Splunk Enterprise as its native search engine. Your organization might want to use a different Splunk Enterprise deployment with Splunk Phantom or use an external Elasticsearch instance.

Configure Splunk Phantom to use an external Splunk Enterprise or Splunk Cloud Platform instance for search

This table summarizes the available options for configuring a Splunk Enterprise or Splunk Cloud Platform instance for search in Splunk Phantom.

Search Option Description
Embedded Splunk Enterprise Instance This is the default. No additional configuration is required.
External Standalone Splunk Enterprise Instance Use this option to connect your Splunk Phantom instance or cluster to a single, external instance of Splunk Enterprise or Splunk Cloud Platform.


This option requires the Splunk Phantom Remote Search app.

  1. See About the Splunk Phantom Remote Search app in the Splunk Phantom Remote Search manual to verify version compatibility and requirements.
  2. See Connect to a standalone Splunk instance in the Splunk Phantom Remote Search manual for instructions.
External Distributed Splunk Enterprise Instance Use this option to connect your Splunk Phantom instance or cluster to a Splunk Enterprise or Splunk Cloud Platform deployment that contains one or more search heads, or one or more indexers with or without a search head cluster or indexer cluster.


This option requires the Splunk Phantom Remote Search app.

  1. See About the Splunk Phantom Remote Search app in the Splunk Phantom Remote Search manual to verify version compatibility and requirements.
  2. See Connect to a distributed Splunk platform deployment in the Splunk Phantom Remote Search manual for instructions.

Clustered deployments of Splunk Phantom require an external Splunk Enterprise, as either a single instance or a distributed deployment, or a Splunk Cloud Platform deployment.

Integrating with Splunk Cloud Platform requires the following additional information and actions:

  • You must use a public certificate from a verified or trusted certificate authority (CA).
  • You must contact Splunk Customer Support for assistance with Splunk Cloud Platform integration. You will need to provide the path to your certificate and your CA.
  • You must enable certificate verification on your Splunk Phantom assets.

Splunk Phantom also provides support for an external Elasticsearch instance for single-instance deployments of Splunk Phantom. Clustered deployments of Splunk Phantom cannot use Elasticsearch as their search endpoint. See Configure Splunk Phantom to use an external Elasticsearch instance

Configure Splunk Phantom to use an external Elasticsearch instance for search

When you configure Splunk Phantom to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance. The embedded Splunk Enterprise remains active and is used as the search provider for searches in the Splunk Phantom web interface.

Verify the following requirements before configuring the external Elasticsearch instance:

  • If you are using SSL to secure your connection to the Elasticsearch instance, the SSL certificate is imported to the Splunk Phantom certificate store.
  • You know the host name and port for the Elasticsearch instance.
  • You know the username and password of an Elasticsearch user account, or the client certificate and client key.

Perform the following tasks to connect to an external Elasticsearch instance:

  1. From the main menu in Splunk Phantom, select Administration.
  2. Click Administration Settings.
  3. Click Search Settings.
  4. From Search Endpoint, select the radio button for External Elasticsearch Instance.
  5. Select the Use SSL check box to enable SSL.
  6. If your Elasticsearch instance is version 6 or newer, select the Use one index per section check box.
  7. Type the host name in the Host field.
  8. Type the port number in the Port field.
  9. Choose your authentication method, either basic authentication with a username and password, or a client certificate.
  10. If you are using basic authentication with a username and password:
    1. Type the username of the authorized Elasticsearch account in the Username field.
    2. Type the password of the authorized Elasticsearch account in the Password field.
  11. If you are using certificate-based authentication, select the Client Authentication check box.
    1. Type the path to the client certificate in the Client Certificate field. This certificate is often a file with the .pem extension.
    2. Type the path the to client key in the Client Key field. This key is often a file with the .key extension.
  12. Test the connection to your Elasticsearch instance by clicking Test Connection.
  13. When you are finished, click Save Changes.

If you want to use a client certificate to connect to your Elasticsearch instance, provide the paths on the Splunk Phantom instance's operating system to the public and private keys. The private key, often a file with the .pem extension, is the Client Certificate. The public key, often a file with the .key extension, is the Client Key. Both files must be readable by the nginx user. You can store the files in the nginx user's home directory, /var/cache/nginx.

Reindex data to make newly added information searchable

There are some situations where data coming in to Splunk Phantom can't be indexed, and therefore can't be searched. You can reindex information sections to make this information searchable. See Reindex data to make newly added information searchable in the Splunk Phantom Remote Search manual.

Define a custom index per Splunk Phantom instance

If you have multiple Splunk Phantom instances in your environment, you can append a custom prefix to the index created on the Splunk platform. Use the custom prefix to create separate indexes for each Splunk Phantom instance, which provides data separation and the ability to correlate each index with the appropriate Splunk Phantom instance.

This screen image shows 3 Splunk Phantom instances writing to separate indexes on a single Splunk Enterprise Instance. Splunk Phantom instance 1 is writing to an index called prefix1_Phantom_*, Splunk Phantom instance 2 is writing to an index called prefix2_Phantom_*, and Splunk Phantom instance 3 is writing to an index called prefix3_phantom_*.

Define a custom prefix with a standalone external Splunk platform deployment

Perform the following tasks on each Splunk Phantom instance to create a custom prefix for each instance with a standalone external Splunk platform deployment for search:

  1. Verify that your Splunk Phantom instance is connected to the Splunk platform by setting up the search settings using a standalone external Splunk instance:
    1. Follow the instructions in Connect to a standalone Splunk instance in the Splunk Phantom Remote Search manual.
    2. Make sure to click Test Connection at the end of the procedure and verify that Splunk Phantom and the Splunk platform are connected.
  2. Log in to the Splunk Phantom instance as the root user. In unprivileged environments, run the script as the specific user configured to run Splunk Phantom.
  3. On each Splunk Phantom instance, run the set_preference command:
    phenv set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>

    For example, to set a custom prefix called prefix1 using admin as the admin user for the Splunk platform:

    phenv set_preference --splunk-index-prefix="prefix1" --splunk-admin-username admin

    Use an empty prefix string to remove a custom prefix. For example:

    phenv set_preference --splunk-index-prefix="" --splunk-admin-username admin

    In Splunk Phantom clusters, the script updates the prefix for all nodes in the cluster.

  4. Users on the Splunk platform inherit index permissions from their roles. After creating the new indexes, you can update roles to give all users in the role access to the new indexes, or create new users and new roles to give access to the new indexes. This example shows how to edit the phantomsearch and phantomdelete roles to grant users access to the new indexes.
    1. From Splunk Web, select Settings > Roles.
    2. Click the name of the role you want to edit, such as phantomsearch.
    3. Click the Indexes tab.
    4. Check the boxes next to the names of the new indexes.
    5. Click Save.
    6. Perform this procedure again to grant access to the new indexes for the phantomdelete role.
  5. If you need additional custom roles to manage only the new indexes this example shows how to create them.
    1. From Splunk Web, select Settings > Roles.
    2. Click New Role.
    3. Type a name for the role.
    4. On the Inheritance tab, select the existing role you want your new role to inherit from, such as phantomsearch.
    5. Click the Indexes tab.
    6. Check the boxes next to the names of the new indexes.
    7. Uncheck the boxes next to the names of the indexes the new role should not be able to access.
    8. Click Create.
    9. Click the name of the role you want to edit, such as phantomsearch.
    10. Click the Indexes tab.
    11. Uncheck the boxes next to the names of the new indexes. This will prevent items managed by the new role from being repeated in indexes by phantomsearch.
    12. Click Save.
    13. Perform this procedure again to create a new role with access to the new indexes for the phantomdelete role. Custom roles used for deletions must inherit permissions from the phantomdelete role.
  6. After the prefix is created, update the Splunk administration for the HEC token to grant access to the new indexes. See Set up the HTTP Event Collector on the standalone Splunk platform instance in the Splunk Phantom Remote Search manual for instructions.
  7. Perform this step if you are using a Splunk Phantom cluster. Run the following commands on each node in your Splunk Phantom cluster:
    pkill --full add_to_searchindex
    <PHANTOM_HOME>/bin/phsvc restart uwsgi
    
  8. Reindex all indexes to search for the data created while using the new prefixes. See Reindex data to make newly added information searchable in the Splunk Phantom Remote Search manual.

Define a custom prefix with a distributed external Splunk platform deployment

Perform the following tasks on each Splunk Phantom instance to create a custom prefix for each instance with a distributed external Splunk platform deployment for search:

The custom prefix script is not supported with distributed Splunk platform deployments in Splunk Cloud Platform environments.

  1. Verify that your Splunk Phantom instance is connected to the Splunk platform by setting up the search settings using a distributed external Splunk instance:
    1. Follow the instructions in Connect to a distributed Splunk platform deployment in the Splunk Phantom Remote Search manual. The Splunk Phantom Remote Search app must be installed on all search heads in the cluster.
    2. Make sure to click Test Connection at the end of the procedure and verify that Splunk Phantom and the Splunk platform are connected.
  2. Log in to the Splunk Phantom instance as the root user. In unprivileged environments, run the script as the specific user configured to run Splunk Phantom.
  3. On each Splunk Phantom instance, run the set_preference command:
    phenv python set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>

    For example, to set a custom prefix called prefix1 using admin as the admin user for the Splunk platform:

    phenv python set_preference --splunk-index-prefix="prefix1" --splunk-admin-username admin

    Use an empty prefix string to remove a custom prefix. For example:

    phenv python set_preference --splunk-index-prefix="" --splunk-admin-username admin

    In Splunk Phantom clusters, the script updates the prefix for all nodes in the cluster.

    Below is sample output from the command run in a Splunk Phantom unprivileged cluster with a distributed Splunk Enterprise deployment:

    [phanru@phantom ~]$ phenv set_preference --splunk-index-prefix prefix1 --splunk-admin-username admin
    Are you sure you wish to apply search index prefix prefix1 for this Phantom instance [yes/no]? yes
    Proceeding ... index configuration stored: /home/phanru/phantomcyber/tmp/indexes.conf
    Done! Next steps:
    - indexes.conf must be updated via splunk cluster master node.
    - On Splunk platform, edit permissions to allow the current or new HEC token to access new indexes.
    - On Splunk platform, edit permissions to allow the current or new search/delete users to access new indexes.
    - If new HEC token or users are created, update the Phantom search settings.
    Run `pkill --full add_to_searchindex` on each Phantom cluster node
    Run `/home/phanru/phantomcyber/bin/phsvc restart uwsgi` on each Phantom cluster node
    - Rerun Test Connection.
    - All phantom search indexes must now be re-indexed.
    
    Note the location of the new indexes.conf file created by the script. You will need this information in the next step.
  4. Edit and save the contents of the new indexes.conf file that was created by the phenv set_preference --splunk-index-prefix command. In our example, we can use cat to view and copy the contents of the <PHANTOM_HOME>/tmp/indexes.conf file.
  5. In the master node of the Splunk search head cluster, append the contents of the new indexes.conf file to the local indexes.conf file on the master node, such as /opt/splunk/etc/master-apps/_cluster/local/indexes.conf.
  6. Run the following commands to push the new indexes.conf to the other indexers in the cluster and verify:
    /opt/splunk/bin/splunk apply cluster-bundle --answer-yes
    /opt/splunk/bin/splunk show cluster-bundle-status
    
  7. Users on the Splunk platform inherit index permissions from their roles. After creating the new indexes, you can update roles to give all users in the role access to the new indexes, or create new users and new roles to give access to the new indexes. This example shows how to edit the phantomsearch and phantomdelete roles to grant users access to the new indexes.
    1. From Splunk Web, select Settings > Roles.
    2. Click the name of the role you want to edit, such as phantomsearch.
    3. Click the Indexes tab.
    4. Check the boxes next to the names of the new indexes.
    5. Click Save.
    6. Perform this procedure again to grant access to the new indexes for the phantomdelete role.
  8. If you need additional custom roles to manage only the new indexes this example shows how to create them.
    1. From Splunk Web, select Settings > Roles.
    2. Click New Role.
    3. Type a name for the role.
    4. On the Inheritance tab, select the existing role you want your new role to inherit from, such as phantomsearch.
    5. Click the Indexes tab.
    6. Check the boxes next to the names of the new indexes.
    7. Uncheck the boxes next to the names of the indexes the new role should not be able to access.
    8. Click Create.
    9. Click the name of the role you want to edit, such as phantomsearch.
    10. Click the Indexes tab.
    11. Uncheck the boxes next to the names of the new indexes. This will prevent items managed by the new role from being repeated in indexes by phantomsearch.
    12. Click Save.
    13. Perform this procedure again to create a new role with access to the new indexes for the phantomdelete role. Custom roles used for deletions must inherit permissions from the phantomdelete role.
  9. After the prefix is created, update the Splunk administration for the HEC token to grant access to the new indexes. See Set up the HTTP Event Collector on the distributed Splunk platform deployment in the Splunk Phantom Remote Search manual for instructions.
  10. Perform this step if you are using a Splunk Phantom cluster. Run the following commands on each node in your Splunk Phantom cluster:
    pkill --full add_to_searchindex
    <PHANTOM_HOME>/bin/phsvc restart uwsgi
    
  11. Reindex all indexes to search for the data created while using the new prefixes. See Reindex data to make newly added information searchable in the Splunk Phantom Remote Search manual.

Use a custom prefix when you want to change your Splunk platform instance

If you have a situation where you want to use the same custom prefix on your Splunk Phantom instance with a different or new Splunk platform instance, perform the following tasks:

  1. Follow the instructions in About the Splunk Phantom Remote Search app in the Splunk Phantom Remote Search manual to connect your Splunk Phantom instance with the Splunk platform.
  2. Run the set_preference command to create the new prefix.
  3. Update the Splunk administration for the HEC token to grant access to the new indexes.
  4. Reindex all indexes to search for the data created while using the new prefixes.
Last modified on 28 June, 2021
PREVIOUS
Customize email templates in Splunk Phantom
  NEXT
Configure Google Maps for visual geolocation data

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters