Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Add and configure apps and assets to provide actions in Splunk Phantom

Splunk Phantom apps expand the capabilities of your Splunk Phantom instance by enabling connections to third party products and services. These third-party products and services provide actions you can run or automate in your Splunk Phantom playbooks. For example, the MaxMind app provides the geolocate ip action for your Splunk Phantom deployment.

You can upgrade existing apps or install new apps at any time without having to upgrade the entire Splunk Phantom platform.

Apps have full access to the operating system of the Splunk Phantom platform. There are no security restrictions on any app while it is running.

An asset is a specific configuration, or instance, of an app. An asset is configured with the information required to communicate with the third-party product or service, such as IP address, automation service account, username, and password.

For example, Splunk Phantom ships with a VMware vSphere app enabling Splunk Phantom to get information from and take actions against a vSphere host. You can use Splunk Phantom to start and stop VMs, take snapshots, and download memory snapshots for analysis. In order for the app to be able to communicate with your vSphere servers, you must provide login credentials such as the hostname or IP address. You might have multiple vSphere servers, such as several individual ESXi hosts, or you might have them centralized onto one vCenter server. To tell Splunk Phantom about a given vSphere server, create a vSphere asset and provide the address and credentials needed for that server. You can then create another vSphere asset with a different address and credentials if needed. When taking actions, you specify which asset the action is for.

This table shows how multiple vSphere assets are configured from a vSphere app:

Splunk Phantom app Configure multiple assets from a single app
VMware vSphere vSphere 1
  • IP address 192.168.1.1
  • User admin1, password example1
vSphere 2
  • IP address 192.168.1.2
  • User admin2, password example2
vSphere 3
  • IP address 192.168.1.3
  • User admin3, password example3

View your Splunk Phantom apps

Splunk Phantom ships with hundreds of apps already installed. You can find more apps on the Splunk Phantom portal, from other Splunk Phantom users, and even create your own. See Splunk Phantom apps overview in Develops Apps for Splunk Phantom.

Perform the following tasks to view the apps provided by Splunk Phantom on the Apps page.

  1. From the main menu, select Apps to access the Apps page.
  2. View the list of configured apps on the Configured Apps tab. Any app that has at least one asset configured appears on this page. You can expand each asset to view the configured assets and available actions provided by the app. Click Configure New Asset to configure a new asset for the app. See Add a new Splunk Phantom asset.
  3. (Optional) Click Unconfigured Apps to view the list of apps installed on your Splunk Phantom instance that do not have at least one asset configured.
  4. (Optional) Click Orphaned Assets to review any assets that no longer have a corresponding app installed.

Install, update, or delete apps on Splunk Phantom

Navigate to the Apps page to install, update, or delete Splunk Phantom apps.

Install a new Splunk Phantom app

Perform the following steps to install a new Splunk Phantom app:

  1. Obtain the new app or develop a new app. See Splunk Phantom apps overview in Develops Apps for Splunk Phantom.
  2. From the main menu, select Apps.
  3. Click Install App.
  4. Drag and drop a .tar or.rpm archive of the app into the file field, or click in the file field and navigate to the location of the app file on your system.
  5. Click Install.

The new app is available on the Unconfigured Apps tab of the Apps page.

For compatibility needs, you can install multiple versions of the same app. However, only one version of the app can be active at a time.

Switching the active version of an app may have unintended consequences. For example, there might be differences among the actions, parameters, or output depending on the version of the app. Be sure to modify any playbooks as needed to be compatible with the active version of the app.

Update existing Splunk Phantom apps

To update an existing Splunk Phantom app, perform the following steps:

  1. From the main menu, select Apps.
  2. Click App Updates.
  3. Select any apps with available updates.
  4. Click Update.

Delete a Splunk Phantom app

Perform the following steps to delete a Splunk Phantom app:

  1. From the main menu, select Apps.
  2. Click the trash can (The trash can icon) icon for the app you want to delete.
  3. Click Delete to confirm you want to delete the app.

You can re-install any app that you deleted by downloading the app and installing the app again.

View your Splunk Phantom assets

Splunk Phantom ships with one asset for the DNS, MaxMind, PhishTank, REST Data Source, and WHOIS apps already configured.

To view configured assets, perform the following tasks:

  1. From the main menu, select Apps.
  2. Verify the Configure Apps tab is selected.
  3. In any app, click the arrow icon corresponding to configured assets to expand the section and view the assets. For example, if an app shows 3 configured assets, click on the arrow to view the configured assets. You can hover over the asset to edit or delete the asset.

Add, edit, or delete a Splunk Phantom asset

Manage the assets in your Splunk Phantom instance. You can add a new asset, and edit or delete existing assets.

Add a new Splunk Phantom asset

Perform the following steps to create a new Splunk Phantom asset:

  1. From the main menu, select Apps.
  2. Click Configure New Asset for the desired app.
  3. In the Asset Name field, enter a name for the asset such as firewall. This name is the one you use when referring to the asset in scripts. Specify the name as a string without spaces or punctuation.
  4. (Optional) In the Asset Description field, enter a longer and more descriptive name for this asset, such as Perimeter Firewall for the engineering network.
  5. (Optional) Enter one or more tags for the asset. You can use the same tag for multiple assets to group them together, and then perform actions on all assets with matching tags. See Add tags to objects in Splunk Phantom.
  6. Click Save.

The amount of configuration required for each asset is determined by the app. Some assets require additional configuration. For example, if you configure a QRadar asset, you must also configure settings on the Asset Settings and Ingest Settings tabs before you can save the configuration.

  • Most assets require authentication information so that Splunk Phantom can connect to the desired server or service. You can configure authentication for an asset on the Asset Settings tab.
  • Data ingestion settings, such as polling intervals and where to put the data once the data is ingested, are configured on the Ingest Settings tab. The destination for ingested data is called a container in Splunk Phantom.

Edit a Splunk Phantom asset

Perform the following steps to edit a Splunk Phantom asset:

  1. From the main menu, select Apps.
  2. Make sure the Configured Apps tab is selected.
  3. Click on the number of configured assets in the app to expand the section.
  4. In the table of configured assets, click the asset you want to edit.
  5. Click Edit, then make any desired changes. You can edit an asset's description, tags, settings, and approval settings. To change the asset name, you must delete the current asset and create a new asset with the desired name.
  6. Click Save.

Delete a Splunk Phantom asset

Perform the following steps to delete a Splunk Phantom asset.

  1. From the main menu, select Apps.
  2. Make sure the Configured Apps tab is selected.
  3. Click on the number of configured assets in the app to expand the section.
  4. In the table of configured assets, click the asset you want to delete.
  5. Click Delete Asset.
  6. Click Confirm to confirm that you want to delete the asset.

Configure advanced asset settings

Configure advanced asset settings such as the concurrent action limit, just in time (JIT) credentials, automation users, asset environment variables, and proxies.

Set the concurrent action limit

You can run concurrent actions on an existing asset, or on a new asset by following these steps:

  1. From the Splunk Phantom main menu, select Apps.
  2. Find the app you want to run an action on and click Configure New Asset. Or, to run concurrent actions on an existing asset, click on your desired preexisting asset.
  3. Click the Asset Setting tab > Advanced.
  4. In the Concurrent Action Limit box, enter the number of concurrent actions you want to run on your asset. You can run up to 10 actions at once. Use caution when changing this limit as it can significantly affect performance.
  5. Run the actions on an asset; evaluate performance.

For information on setting the global action concurrency limit, see Set the global action concurrency limit.

Disable action lock or action concurrency

Within an action entry, the optional lock key defines a set of parameters that you can set to run actions concurrently. A lock is represented by its name. Multiple actions locking on the same name will be serialized even if the actions are from different apps. In the absence of a lock dictionary, the platform runs the action concurrently using the asset as the lock name.

To disable the lock for an action, the lock dictionary must be present and the "enabled" key set to false. When "enabled" is set to false, you can run as many concurrent actions as you would like.

"lock": {
   "enabled": false,
   "data_path": "parameters.hash",
   "timeout": 600
}
Parameter Required? Description
enabled Required Boolean value that specifies if the lock is enabled or not for this action.
data_path Optional The name of the lock. Only valid if lock is enabled. This value is either a datapath that points to a parameter of the action with parameters.hash where hash is one of the parameters of the action, or a datapath that points to a configuration parameter for something like configuration.server. At runtime, the platform will read the values stored in these data paths and use it as the name of the lock. You can also use a constant string, for example, any string that does not start with configuration. or parameters.The platform will use this value as is. In case the data_path is not specified, the asset will be used as the lock name.
timeout Optional Specifies the number of seconds to wait to acquire the lock, before an error condition is reported.

If you have multiple actions with the lock enabled that are scheduled to run on an asset, you may want to exclude only some of them from running concurrently. To exclude a certain action from running concurrently, set concurrency to false in the app JSON. When both "enabled" and "concurrency" are set to true, you can run multiple actions concurrently up to the concurrent action limit. When "enabled" is set to true and "concurrency" is set to false, you can only run a single action.

"lock": {

   "enabled": true,

   "concurrency": false

}
Parameter Required? Description
enabled Required Boolean value that specifies if the lock is enabled or not for this action.
concurrency Optional By default concurrency is set to true to allow concurrent actions to run on an app. Set concurrency to false to opt out of concurrent actions running on an app.

If the lock is enabled on an action, but concurrency is set to false in the app.json, the action will not be counted in the concurrent action limit you set in Asset Settings.

Configure Just In Time Credentials for a Splunk Phantom asset

Some assets can be configured to use just in time (JIT) credentials, which require a Splunk Phantom user to type in credentials before any further action is taken. Use JIT credentials if your organization has policies against providing credentials in an automated manner, or if you are using one-time passwords.

To configure JIT credentials, perform the following steps:

  1. Navigate to the asset configuration page.
  2. Click the Asset Settings tab.
  3. Click Advanced to expand the section.
  4. Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. In the Enable Just in Time credentials for field, select the fields for which you want to enable JIT authentication. For example, select username and password to enable JIT for login credentials.
  6. Click Save.

Once enabled, JIT uses the asset's approval settings to determine the set of users that must supply the credentials to complete the action. See Configure approval settings for a Splunk Phantom asset.

To use JIT, you must have at least one approver set up for the asset. If you have selected multiple users that require a quorum to approve, then the last user (the one that would cast the final vote that causes the action to run) must be the one who supplies correct credentials. Earlier users can supply credentials, but the last user supplies the set that is actually used. Anything entered before that user is overwritten by the last user. Note that even if you have "Automatic self-approval" configured in Splunk Phantom for your own approval vote, you still receive a JIT prompt when credentials are required.

Configure automation users for a Splunk Phantom asset

Define the automation user to specify the service account Splunk Phantom uses to run the asset. The default account is the automation account provided by Splunk Phantom.

Perform the following tasks to create a custom automation user in Splunk Phantom:

  1. Navigate to the asset configuration page.
  2. Click the Asset Settings tab.
  3. Click on Advanced to expand the section.
  4. Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
  5. In the Select a user on behalf of which automated actions can be executed (e.g. test connectivity, ingestion) field, select the desired automation user.
  6. Click Save.

Configure environment variables for a Splunk Phantom asset

Environment variables configured in an asset take precedence over any global environment variables. See Set environment variables globally for all apps for information about setting global environment variables.

Perform the following tasks to set environment variables for a Splunk Phantom asset:

  1. Navigate to the asset configuration page.
  2. Click the Asset Settings tab.
  3. Click on Advanced to expand the section.
  4. Click Edit if you are editing an existing asset. You don't need to do this is you are configuring a new asset.
  5. Click + Variable to add a new environment variable.
  6. Enter the name and value of the variable.
  7. (Optional) Click Secret to encrypt the value so that it is not displayed in the Splunk Phantom web interface.
  8. (Optional) Click + Variable to add more variables as needed.
  9. Click Save.

See Configure proxies for a Splunk Phantom asset for information on how to set environment variables so that the asset can use a proxy.

Configure proxies for a Splunk Phantom asset

Perform the following steps to configure the environment variables needed for the app to communicate with a proxy:

  1. Navigate to the asset configuration page.
  2. Click the Asset Settings tab.
  3. Click Advanced to expand the section.
  4. Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. Click + Variable to add a new environment variable.
  6. Configure the HTTP_PROXY, HTTPS_PROXY, or NO_PROXY variables depending on the type of proxy connection.
    • For HTTP and HTTPS proxy configurations, include the protocol, hostname or IP address, and the port of the proxy server. For example:
      <Protocol>://<Hostname/IP>:<Port>
    • For NO_PROXY configurations, include the IP address, hostname, or domain of the asset.
  7. (Optional) Click Secret to encrypt the value so that it is not displayed in the Splunk Phantom web interface.
  8. Click Save.

The table shows an example of how to configure HTTP, HTTPS, and no proxy for a Splunk Phantom asset. For apps that use requests, configuring both HTTPS and HTTP environment variables directs all app traffic through the proxy server.

Proxy Name Proxy Value
HTTP_PROXY http://192.168.13.1:80
HTTPS_PROXY https://192.168.13.100:8800
NO_PROXY example.com

Configure ingest settings for a Splunk Phantom asset

Data ingestion settings are available for assets such as QRadar, Splunk, and IMAP. Perform the following steps to configure ingestion settings for a Splunk Phantom asset:

  1. Navigate to the Asset Configuration page.
  2. Click the Ingest Settings tab.
  3. Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  4. In the Label to apply to objects from this source field, select a container label you want to apply to objects from this source. You can also type in a new label name.
  5. (Optional) Configure a polling interval for the asset to ingest data.
    • Select Interval to configure the number of minutes between polls.
    • Select Scheduled to view additional options and intervals.
  6. (Optional) Some assets have a Process Missed Jobs checkbox. Check this box if you want Splunk Phantom to process any missed jobs. Jobs can be missed in cases where Splunk Phantom is not running, or one poll didn't complete before the next one started.
  7. Click Save.

Configure approval settings for a Splunk Phantom asset

Assets created with no approvers run immediately. It is usually an acceptable company policy for an asset providing a whois lookup action. For assets such as firewalls, company policies usually restrict access to the ability to change firewall settings. Any actions performed on a firewall asset must go through the approval process.

Configure the approval settings for a Splunk Phantom asset to determine who must approve the actions taken against the asset. See Approve actions before they run in Splunk Phantom in the Use Splunk Phantom manual.

To configure approval settings for an asset, perform the following steps:

  1. Navigate to the asset configuration page.
  2. Click the Approval Settings tab.
  3. Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  4. Select the users and roles you want to configure as primary approvers. Click the arrow keys to add or remove users and roles to the Primary Approvers field.
  5. Select the number of required primary approvers from the drop-down list in the Required primary approvers field.
  6. Select the users and roles you want to configure as secondary approvers. Click the arrow keys to add or remove users and roles to the Secondary Approvers field.
  7. Select the number of required secondary approvers from the drop-down list in the Required secondary approvers field.
  8. Click Save.

Configure the tenant assigned to a Splunk Phantom asset

Assign a tenant to an asset to separate data and make sure that the asset is only used with the container with the same tenant. You can only assign tenants to an asset if multi-tenancy is configured and enabled in Splunk Phantom. See Configure multiple tenants on your Splunk Phantom instance.

Perform the following steps to assign a tenant to a Splunk Phantom asset:

  1. Make sure multi-tenancy is enabled on your Splunk Phantom instance.
  2. Navigate to the asset configuration page.
  3. Click the Tenants tab.
  4. Click Edit if you are editing an existing asset. You don't need to do this if you are configuring a new asset.
  5. Select the desired tenants from the Available Tenants box and click the arrows to move them to the Mapped to Asset box.
    • Non-ingestion assets that do not have a tenant assigned are available to all tenants. You can assign multiple tenants to a non-ingestion asset.
    • Ingestion assets must have one tenant assigned. You can't assign multiple tenants. If no tenant is selected in the asset configuration, the default system tenant is assigned to the asset and any containers created by the asset.
  6. Click Save.
Last modified on 19 January, 2021
Use Python scripts and the REST API to manage your deployment   certificate store overview

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters