Splunk® Phantom (Legacy)

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Welcome to Splunk Phantom 4.10.0

If you are new to Splunk Phantom, read About Splunk Phantom in the Use Splunk Phantom manual to learn how you can use Splunk Phantom for security automation.

Begin your Splunk Phantom installation by reviewing the following documentation:

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Phantom, read Prepare your Splunk Phantom deployment for upgrade in the Install and Upgrade Splunk Phantom manual.

Splunk Phantom requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading Splunk Phantom.

Migrate a privileged Splunk Phantom deployment to an unprivileged deployment

This release contains tools for converting a privileged Splunk Phantom deployment to an unprivileged one.

This migration should only happen at a major release, such as upgrading from Splunk Phantom 4.9 to Splunk Phantom 4.10.0. See Splunk Phantom upgrade overview and prerequisites for more information.

End of support for iptables

Splunk Phantom 4.10.0 is the final release that supports iptables. Both Red Hat Enterprise Linux 7 and CentOS 7 and later releases use firewalld as their default managed firewall. Splunk Phantom scripts and tools in future releases will only support firewalld.

Customers are encouraged to migrate to firewalld to use with future releases of Splunk Phantom.

CentOS 6 and Red Hat Enterprise Linux 6 are no longer supported

As announced in the release notes for Splunk Phantom 4.9, Splunk Phantom 4.10.0 has removed support for CentOS version 6 and Red Hat Enterprise Linux version 6. Both CentOS 6 and Red Hat Enterprise Linux reached End of Life status on November 30, 2020.

Customers are encouraged to migrate to CentOS 7 or Red Hat Enterprise Linux 7 or newer in order to use Splunk Phantom 4.10.0 and future releases of Splunk Phantom. For assistance on migrating to a supported operating system, see Migrate a Splunk Phantom install from REHL 6 or CentOS 6 to RHEL 7 or CentOS 7 in Install and Upgrade Splunk Phantom.

What's new in 4.10.0

This release of Splunk Phantom includes the following enhancements.

New Feature or Enhancement Description
Python 3 playbooks and custom functions Playbooks and custom functions can now be written in Python 3.
  • New playbooks and custom functions are Python 3 by default.
  • Splunk Phantom supports Python 2 and Python 3 runtime environments for playbooks and custom functions.
  • Two phenv command line tools are available to help you convert your existing Python 2 custom functions and playbooks to Python 3. See Convert playbooks or custom functions from Python 2 to Python 3 for more information.
    • phenv playbooks_to_py3
    • phenv customfunctions_to_py3
  • Playbook APIs which have been deprecated cannot be used in playbooks written in Python 3. These deprecated playbook APIs can still be used in playbooks written in Python 2.
Deprecated API Supported API
artifact_values collect
datastore_get get_list
datastore_present get_list
datastore_add add_list
datastore_set set_list
datastore_delete remove_list
add_attachment vault_add
get_file_info vault_info
get_file_path vault_info
get_vault_item_info vault_info
App API Deprecations Due to changes in the playbook API, some App APIs are also deprecated.
Deprecated API Supported API
get_file_info vault_info
get_file_path vault_info

get_vault_file_item_info

vault_info

add_attachment

vault_add
Accessibility enhancements Many areas of the Splunk Phantom UI have been made more accessible to screen readers and keyboard navigation.
Unprivileged installs are now the default Both virtual machine images (OVA) and Amazon Marketplace Images for Splunk Phantom 4.10.0 have been designed to run as unprivileged instances.
  • Customers who wish to convert a privileged deployment (instance or cluster) to an unprivileged deployment can do so during the upgrade to Splunk Phantom 4.10.0 from Splunk Phantom 4.9. See Splunk Phantom upgrade overview and prerequisites for more information.
  • Customers running privileged deployments can still upgrade without converting to an unprivileged deployment.
  • Customers wishing to convert their privileged deployments to unprivileged deployments at a later time can do so. See Convert a privileged deployment to an unprivileged deployment in Install and Upgrade Splunk Phantom for more information.
Markdown support for prompts in Playbooks Playbook prompts can now be formatted using markdown.
Data retention tools Use the new data retention script to manage Splunk Phantom data.

See Use data retention to schedule and manage your database cleanup scripts in Administer Splunk Phantom.

Improvements to Hashicorp Vault integration
  • Added support for Hashicorp Vault's KV store REST API version 2
  • Added support for app_role authentication
  • Added a new command to help debug Hashicorp Vault and Splunk Phantom integrations, phenv hashicorp_client. Use phenv hashicorp_client --help for options.
Last modified on 17 March, 2021
  NEXT
Known issues in this release of Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters