Content Pack for Monitoring Phantom as a Service

Content Pack for Monitoring Phantom as a Service

The Content Pack for SOAR System Logs replaces the Content Pack for Monitoring Phantom as a Service, which is now a legacy product. Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

About the Content Pack for Monitoring Phantom as a Service

The Content Pack for Monitoring Phantom as a Service provides an ITSI-based approach to monitor the health of your Phantom server environment. Phantom is a security orchestration, automation, and response (SOAR) platform designed to help reduce the scale of your security operations. With Phantom, you can automate tasks, orchestrate workflows, and support a broad range of SOC functions including event and case management, collaboration, and reporting.

This content pack contains specific Key Performance Indicators (KPIs) for monitoring Phantom metrics. A separate content pack covers OS monitoring. Because each Phantom deployment includes an embedded copy of Splunk Enterprise with dedicated functionality tied to Phantom, a Splunk universal forwarder installed on the Phantom servers takes care of monitoring the Phantom environment.

As of SOAR 6.2.0, Universal Forwarders replaced the embedded copy of Splunk Enterprise.

Content pack contents

The Content Pack for Monitoring Phantom as a Service is a backup ZIP file of preconfigured ITSI objects, including services and KPIs, that you can restore to your own environment and tune for your specific needs. This content pack contains the following objects:

Two Phantom services:

  • Splunk Phantom - OS
  • Splunk Phantom - Application

Two deep dives:

  • Splunk Phantom - OS
  • Splunk Phantom - Application

ITSI and ITE Work support

The content in the Content Pack for Monitoring Phantom as a Service is only supported in ITSI.

Installation

If you're using ITSI version 4.9 or later, you can install the Content Pack for Monitoring Phantom as a Service after installing the Splunk App for Content Packs. Install the content pack on the same search head where you installed ITSI. For installation instructions, see Install and configure the Content Pack for Monitoring Phantom as a Service.

If you're using ITSI version 4.8 or earlier, you need to install the content pack using the backup ZIP file. For installation instructions, see Install and configure the Content Pack for Monitoring Phantom as a Service.

Deployment requirements

Use the following table to determine ITSI version compatibility.

Content pack version ITSI version Phantom version Phantom Add-on version
1.0.1 4.7.0 or higher 4.9.0 or higher 1.0.1
1.0.0 4.4.0 - 4.6.2 4.6.0 - 4.8.0 1.0.0

Additional resources

Last modified on 11 January, 2024
  Release notes for the Content Pack for Monitoring Phantom as a Service

This documentation applies to the following versions of Content Pack for Monitoring Phantom as a Service: 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters