Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Obtain and configure a Splunk Phantom license

From the main menu, select Administration > Company Settings > License to view information about the license on your system.

There are three types of licenses available for Splunk Phantom:

  • Community License
    This is the default, free license for everyone who registers for Splunk Phantom Community access and downloads Splunk Phantom. This license is limited to a set number of actions per day. See Community License.
  • Event-based License
    This license type is based on the number of events updated in the twenty-four hour tracking period. Individual licenses vary in terms of volume.
  • Seat-based License
    This license is governed by the number of users allowed to log in to Splunk Phantom. Seat-based licensing is available in blocks of five seats and can vary by the number of tenants.

The number of tenants is purchased as an additional parameter for both event-based and seat-based licenses.

If a license is removed or expires, Splunk Phantom reverts to the community license.

Community license

Splunk Phantom installs with a default license, the Community License. The Community License is limited to:

  • 100 licensed actions per day
  • 50 containers
  • 1 tenant
  • 5 cases in the New or Open states

Splunk Phantom licensed actions

  • phantom.act()
  • phantom.prompt()

Using these actions via the REST API, a Playbook, or by executing an action in the Splunk Phantom graphical user interface counts as a licensed action. When used in the Visual Playbook Editor's debugger, these actions are not counted against the number of licensed actions.

No actions called from the Visual Playbook Editor's debugger count as a licensed action.

The action limit is specifically the number of actions run, as opposed to Playbooks run. Running one Playbook may invoke several actions. Also, an action run against multiple assets will count as only one action. Keep this in mind if you are managing the number of actions taken per day.

Event-based license

The Event-based license limits events.

An event is a container. A container is a top-level composite object that collects artifacts. An event-based license tracks the number of events that are updated in the twenty-four hour tracking period.

Seat-based license

Customers using a seat-based license are limited to a number of user accounts that can log in to Splunk Phantom. This number includes local accounts in Splunk Phantom and accounts authenticated or managed by external services such as SAML2, LDAP, or OpenID. The built-in user accounts for the automation and the admin users do not count against a seat-based license. Other users assigned the admin role still count against a seat-based license.

Seat limits must be purchased in increments of five.

Obtaining a license

To obtain a license, you must submit a license request and obtain a Splunk Phantom license file.

To obtain a trial license for Splunk Phantom, contact the Splunk Phantom Sales department.

To request an updated copy of a current Splunk Phantom license, open a license request case at https://support.splunk.com or call +1(855)SPLUNK-S or +1(855)775-8657.

International Splunk Support numbers are located at https://www.splunk.com/en_us/about-us/contact.html#tabs/customer-support.

The number of events permitted and expiration of the license is based on the terms listed in your company's entitlement.

Once you have your license file:

  1. From the main menu, select Administration.
  2. Select Company Settings > License.
  3. Click Upload Key.
  4. Provide the location of the key file on your system.
  5. Click Accept & Install. The license is applied automatically.

The information obtained from the license file is displayed on the page.

If any of the information shown is incorrect or you experience any difficulty loading the license file, open a support case at https://support.splunk.com or call +1(855)SPLUNK-S or +1(855)775-8657.

Last modified on 01 March, 2021
Configure the ROI Settings dashboard   Configure a source control repository for your Splunk Phantom playbooks

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters