Splunk® IT Service Intelligence

Administration Manual

Download manual as PDF

This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Download topic as PDF

Resolve ITSI episodes automatically with Splunk Phantom

Integrate IT Service Intelligence (ITSI) and Splunk Phantom to automatically resolve issues in your IT environment. Splunk Phantom is an orchestration, automation, and response platform designed to help scale your IT and security operations. Splunk Phantom lets you automate tasks, orchestrate workflows, and support a broad range of NOC and SOC functions. For more information, see About Splunk Phantom in the Use Splunk Phantom manual.

With the ITSI integration with Splunk Phantom, you can send episodes directly to Splunk Phantom and run custom playbooks to resolve issues in your IT environment. This functionality lets you automate simple and complex IT operations workflows to increase service availability and operational efficiency.

The following diagram shows the end-to-end workflow of ingesting data into ITSI, triaging and routing issues with Event Analytics, and sending the issues to Splunk Phantom to be automatically resolved:

This image shows the four stages of the ITSI Phantom integration. The first step is collecting data and ingesting it into ITSI. The second step is triaging and routing events to Splunk Phantom through ITSI Service Insights and Event Analytics. The third step is automatically resolving episodes in Phantom. The fourth step is updating or escalating the issue in third-party software such as ServiceNow or Remedy.

When you send an ITSI episode to Splunk Phantom, the episode itself is mapped to a container in Phantom and the notable events within the episode are mapped as artifacts of the container. The ITSI episode ID is mapped to the source ID of the Splunk Phantom container. The container then runs an associated playbook that performs the appropriate remediation steps.

Deployment requirements

You must have the following versions of these associated apps to integrate ITSI with Splunk Phantom:

Link to app Version
Splunk Enterprise 7.3.3 or higher
IT Service Intelligence (ITSI) 4.4.2 or higher
Splunk Phantom 4.6 or higher
Phantom App for Splunk 2.7 or higher

Step 1: Configure Splunk Phantom

Perform the following steps to configure Splunk Phantom to receive and process episodes from ITSI.

Create an automation user

The automation user is a default internal service account used by Splunk Phantom for running automated playbooks and asset actions, such as data ingestion. The automation user provides REST authentication tokens that you can use to read and write data to the REST backend and perform other useful activities.

For instructions on adding an automation user, see Manage Splunk Phantom users in the Administer Splunk Phantom manual.

After you configure an automation user, make sure to select the user you just created and copy the REST API authorization token, which you need when setting up Splunk Enterprise.

Configure your Splunk Phantom instance

Before integrating ITSI with Splunk Phantom, you must set up your Phantom instance with labels, apps and assets, and playbooks.

  • Create labels. You configure an ITSI action to use labels when pushing artifacts to a container. You also set up your playbooks to run on the artifacts that match these labels. For instructions on creating labels in Splunk Phantom, see Configure labels to apply to containers in the Administer Splunk Phantom manual.
  • Configure Splunk Phantom apps and assets. Splunk Phantom apps expand the capabilities of your Phantom instance by enabling connections to third-party products and services. For instructions on configuring Phantom apps and assets, see Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual.
  • Create or import playbooks. When ITSI sends an episode to Splunk Phantom, Phantom automatically runs a playbook to address that episode. As a result, you must create several playbooks to address each of your IT use cases. For full instructions on creating playbooks, see Create and debug playbooks in Splunk Phantom using the visual playbook editor in the Use Splunk Phantom manual.

If you import a playbook, Splunk Phantom doesn't register the environment-specific asset names used when the playbook was created. You must manually map the Splunk Phantom app asset names that you created.

Step 2: Configure Splunk Enterprise

Perform the following steps to configure Splunk Enterprise to work with Splunk Phantom.

Install the Phantom App for Splunk

Download and install the Phantom App for Splunk from Splunkbase.

Configure Splunk Phantom capabilities in Splunk Enterprise

You must provide specific capabilities to the admin role so Splunk administrators can set up the Splunk Phantom integration.

  1. Within Splunk Enterprise, navigate to Settings > Access controls > Roles.
  2. Select the admin role.
  3. On the Capabilities tab, verify that the admin role has the following capabilities:
    • admin_all_objects
    • phantom_read
    • phantom_write
    • list_storage_passwords
  4. Click Save.

Disable HTTPS certificate validation

Configure HTTPS certificate validation by editing the phantom.conf configuration file for the Phantom App for Splunk.

Prerequisites

  • Only users with file system access, such as system administrators, can disable HTTPS certificate validation in Splunk Phantom.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

  1. Create a local version of the phantom.conf file at $SPLUNK_HOME/etc/apps/phantom/local/.
  2. Add the following stanza to disable HTTPS certificate validation:
    [verify_certs]
    value = false
    
  3. Save the file and restart your Splunk software.

Configure the Phantom App for Splunk

Provide the automation user's REST API authorization token to the Phantom App for Splunk.

  1. Open the Phantom App for Splunk.
  2. Click Phantom Server Configuration.
  3. Click Create Server.
  4. Locate and copy the REST API authorization token that you generated when you configured the automation user in Splunk Phantom.
  5. Paste the authorization token into the Authorization Configuration box.
  6. Restart your Splunk software.

Enable the Splunk Phantom integration in ITSI

To give ITSI the ability to send episodes to Splunk Phantom, you must enable the corresponding action in notable_event_actions.conf. See notable_event_actions.conf in the Administer Splunk IT Service Intelligence manual.

Prerequisites

  • Only users with file system access, such as system administrators, can enable the Splunk Phantom alert action using a configuration file.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.

Steps

  1. Open or create a local copy of the notable_event_actions.conf file at $SPLUNK_HOME/etc/apps/SA-ITOA/local/.
  2. Add the following stanza to the file:
    [itsi_event_action_send_to_phantom]
    disabled = 0
    

Step 3: Configure IT Service Intelligence

After you configure Splunk Phantom and the Phantom App for Splunk, configure your ITSI environment to send episodes to Phantom.

Create correlation searches

A correlation search is a recurring search that scans multiple data sources for defined patterns. You can configure a correlation search to generate a notable event, also known as an alert, when the search results meet specific conditions. As correlation searches begin to generate notable events, the events are grouped into episodes using the notable event aggregation policies you configure in the next step.

Configure several correlation searches to bring in data to ITSI that you want to aggregate and send to Splunk Phantom. For instructions on creating correlation searches, see Configure correlation searches in ITSI in the Administer Splunk IT Service Intelligence manual.

Configure aggregation policies to send episodes to Splunk Phantom

Notable event aggregation policies group notable events into episodes and organize them in Episode Review. They also let you take automatic actions on an episode, such as sending it to Splunk Phantom, when certain trigger conditions are met.

Configure the action rules of one or more aggregation policies in your environment to send episodes to Splunk Phantom. For more information about configuring action rules, see Action Rules in the Administer Splunk IT Service Intelligence manual.

  1. On the ITSI main menu, click Configure > Notable Event Aggregation Policies and open an existing policy.
  2. Go to the Action Rules tab.
  3. Click +Add Rule or expand an existing action rule.
  4. Provide an If condition.
    The following image shows the best practice, which is to send an episode to Splunk Phantom immediately after it's created, when the first event is added:
    This image shows the first step of aggregation policy action rules configuration. The IF statement reads "If the number of events in the episode is exactly equal to 1".
  5. For the THEN condition, choose the action called Send to Phantom. The following example action rule sends an episode to Splunk Phantom:
    This image shows the second step of aggregation policy action rules configuration. The THEN statement reads "Then send to Phantom" and includes a Configure button.
  6. Click Configure and configure the following Phantom fields:
    Field Description
    Phantom Server The Splunk Phantom server to send the episode to. Create and configure a Splunk Phantom server in the Phantom App for Splunk.
    Phantom Label Splunk Phantom determines which playbooks to run for an ingested event based on the label associated with the event. Specify a label here to determine which playbooks to run. You can associate one or more labels to a playbook.
Last modified on 14 February, 2020
PREVIOUS
Enable bidirectional ticketing with ServiceNow in ITSI
  NEXT
Dispatch episode actions to a remote ITSI instance

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.4.2, 4.4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters