Content Pack for Monitoring Phantom as a Service

Content Pack for Monitoring Phantom as a Service

Acrobat logo Download manual as PDF


The Content Pack for SOAR System Logs replaces the Content Pack for Monitoring Phantom as a Service, which is now a legacy product. Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Acrobat logo Download topic as PDF

Install and configure the Content Pack for Monitoring Phantom as a Service

The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack for Monitoring Phantom as a Service provided you are using ITSI version 4.9.0 or higher. If you are using ITSI version 4.8.x or lower, then you must install the content pack using backup and restore functionality provided by ITSI.

For a full list of the objects shipped in this content pack, see About the Content Pack for Monitoring Phantom as a Service.

Installation and configuration overview

Follow these high-level steps to configure the content pack:

  1. Install the content pack on your search head.
  2. Configure Phantom services.
  3. Tune KPI threshold levels.
  4. Configure alerting and notification settings.

Prerequisites

Install the Content Pack for Monitoring Phantom as a Service

You have two options for installing and configuring the Content pack for Monitoring Phantom as a Service;

  • One option is to install the content pack from the Splunk App for Content Packs. The Content Pack for Monitoring Phantom as a Service is included in the Splunk App for Content Packs if you are using ITSI version 4.9.x.
  • Your second option is to install the content pack using backup and restore functionality provided by ITSI. You must choose this option if you are using ITSI version 4.8.x or lower.

Install the content pack from the Splunk App for Content Packs

To install the Content Pack for Monitoring Phantom as a Service, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Monitoring Phantom as a Service:

  1. From the ITSI main navigation bar, click Configuration > Data Integrations.
  2. Select Add content packs or Add structure to your data depending on your version of ITSI.
  3. Select the Monitoring Phantom as a Service content pack.
  4. Review what's included in the content pack and click Proceed.
  5. Configure the content pack settings.
    Setting Description
    Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.


    For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.

    Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
    • Install as new - Objects are installed and any existing identical objects in your environment remain intact.
    • Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.


    This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.

    Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects post-install.
    Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores.
  6. When you've completed your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.

Install the content pack using backup and restore functionality provided by ITSI

If you are using ITSI version 4.8.x or lower, follow these steps to install the Content Pack for Monitoring Phantom as a Service. For instructions on restoring a backup, see Restore from a backup zip in the Administration Manual.

  1. Download the following ITSI backup file: BACKUP-CP-PHANTOM-1.0.1.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. Give the job the same name as the backup file you downloaded. For example, BACKUP-CP-PHANTOM-1.0.1.
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment. For a full list of the objects shipped in this content pack, see About the Content Pack for Monitoring Phantom as a Service.

Configure Phantom services

This content pack ships with the following services:

  • Splunk Phantom - OS
  • Splunk Phantom - Application

Splunk Phantom - OS

The Splunk Phantom - OS service uses entity filtering to filter entities to it. For more information about entity filtering, see Split and filter a KPI by entities in ITSI in the Service Insights manual.

Perform the following steps to create a Phantom service for OS monitoring:

  1. In ITSI, click Configuration > Services.
  2. Open the Splunk Phantom - OS service.
  3. Click the Entities tab.
  4. In the Alias host matches field, list each of the Phantom servers you plan to monitor.
  5. Review the list of matched entities and make sure you see one entity for each Phantom server.
  6. Click Save to save the service configuration.

For more information about configuring entity rules, see Define entity rules for a service in ITSI in the Service Insights manual.

Splunk Phantom - Application

The Splunk Phantom - Application service is for application-level KPIs.

Tune KPI thresholds

After you configure your Phantom services, you must tune the thresholds within each Phantom KPI to meet the specifics of your environment. It's best to do this when you have at least a week of data in your Phantom environment.

First, review every KPI to determine whether it's one that you think will be helpful in identifying if your Phantom service is degraded. If the KPI doen't turn out to be a good indicator of service degradation, it's best to remove it to keep your implementation simple. This also makes it easier to find the information that will help lead you to the insight you're looking for.

Review and refine every KPI threshold to ensure the best accuracy of service health scores and creation of notable events. Use the following resources to configure KPI thresholds:

Configure alerting and notification settings

Configure ITSI to send you alerts when one or more KPIs are experiencing a sustained degradation.

Next steps

Now that you've completed the installation and configuration steps, continue to Use the Content Pack for Monitoring Phantom as a Service.

Last modified on 14 September, 2022
PREVIOUS
Data requirements for the Content Pack for Monitoring Phantom as a Service
  NEXT
Use the Content Pack for Monitoring Phantom as a Service

This documentation applies to the following versions of Content Pack for Monitoring Phantom as a Service: 1.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters