Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Take a tour of Splunk Phantom and perform product onboarding when you log in for the first time

When you log in to Splunk Phantom for the first time, there are several screens you must navigate before arriving at the home page. The screens appear in the following order:

Read and accept the Splunk End User License Agreement

When you log in to Splunk Phantom for the first time, you must read and accept the Splunk End User License Agreement.

  1. Scroll to the bottom of the End User License Agreement.
  2. Click I Accept.

Review and understand how Splunk collects and uses aggregated product usage data

Splunk collects and sends anonymized usage data to Splunk. This behavior is enabled by default. Read the text on the Helping You Get More Value from Splunk Software page and click Got it.

See Share data from Splunk Phantom for information about how to opt out, what information is shared, and how it is used.

Take a tour of Splunk Phantom and create some sample data

Generate some sample data and get a guided tour of Splunk Phantom's main pages.

Click Exit Tour at any time to leave the tour and go to the onboarding tutorial, where you can Configure basic settings for your Splunk Phantom instance, data sources, playbooks, and apps and assets.

Perform the following tasks to create some sample data and take the guided tour:

  1. Click Get Started to begin the product tour and create sample events.
  2. Generate some sample events. Click the number of sample events you want to generate. After the events are generated, the Sources page shows you the sample events.
  3. Click View Event to view the details for an event on the Investigation page.
  4. Click Run Playbook to run a playbook against this event. In Investigation, the Activity tab shows the automated actions taken against the event by the playbook.
  5. Click View Playbook to view the playbook in the Playbook Editor. Playbooks run from the Start block and perform the actions up to the End block.
  6. Click Configure Phantom to complete the tour and go to the onboarding tutorial, where you can Configure basic settings for your Splunk Phantom instance, data sources, playbooks, and apps and assets.

Configure basic settings for your Splunk Phantom instance, data sources, playbooks, and apps and assets

Click Skip on-boarding at any time to go directly to the Splunk Phantom home page. See Log in and navigate Splunk Phantom in Use Splunk Phantom.

Configure basic settings

Configure basic administrative and email settings for your Splunk Phantom instance.

  1. Configure the administrative password, company name, IT contact email address, system time zone, and the appliance base URL for this Splunk Phantom instance. If you skip the on-boarding, you can configure these fields later. See Configure your company settings in Splunk Phantom for more information about these fields.
  2. Configure email server settings. Splunk Phantom requires an email server to send users email for action approvals, when SLAs are breached, and when items that they are tracking change. If you skip the on-boarding, you can configure the email server and asset later. See Add and configure apps and assets to provide actions in Splunk Phantom.
    1. Use smtp as the default asset name, or enter a new name.
    2. Enter the IP address or hostname of the email server.
    3. Select the SSL method that your Splunk Phantom instance should use to connect to the email server.
    4. Complete the email asset configuration by providing a tag, username, password, sender address, and port.
    5. Click Enable Unicode Support to enable Splunk Phantom to properly display Unicode characters in the emails.

Configure a data source

Configure a data source from which Splunk Phantom can ingest data. In this on-boarding procedure, you can add one data source. You can add additional data sources later at any time. See Add and configure apps and assets to provide actions in Splunk Phantom.

Perform the following tasks to configure a data source during the on-boarding procedure.

  1. Select a data source.
  2. Select or specify an asset name.
  3. Select or specify a container name.
  4. (Optional) Click Additional Information to expand the section.
    1. Enter one or more Tags to attach to the objects from this data source.
    2. Enter a description for the asset.
    3. Complete other fields specific to the asset type. The fields may vary depending on the data source you selected.
  5. Click Save.
  6. In some cases, you are asked to perform additional tasks. For example, if you configure a Splunk data source, you must record the authorization token that is provided and also download a separate app from Splunkbase in order for the integration between Splunk Phantom and the Splunk platform to work.
  7. Click Continue.

Run a demo playbook

A list of playbooks is available based on the data source you configured. Select a playbook you want to run, then click Save and Continue.

Configure apps and assets

Configure apps and assets that will provide actions for your playbooks.

  1. Select the apps that will provide the actions for the selected playbook.
    • If you selected the investigate playbook, select one app in each of the Information Services, File Reputation Services, Domain Reputation Services, Sandbox, and Threat Intel.
    • 0If you selected the hunting playbook, select one app in each of the Information Services, Endpoint Services, File Reputation Services, and Sandbox.
  2. In the Select Apps to Configure section, click on each app and provide the required information to configure an instance of the app, called an asset.
  3. Click Additional Information to expand the section and provide additional information.
  4. Click Save and Test Connectivity to verify the configuration of each asset.
Last modified on 20 May, 2020
Administer Splunk Phantom   security information

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters