Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Tune performance by managing features

An administrator can tune performance of their deployment by toggling the Indicators feature or removing audit logs from the deployment after they have been downloaded.

Enable or disable the indicators feature

Prior to 4.8, retrieval of indicator records did not scale in some large deployments with hundreds of thousands of indicator records. Improvements have been made to enhance performance, but some administrators may wish to disable the feature entirely.

An administrator can toggle the Indicators feature of by running a script from the *nix shell command line.

Disabling the Indicators feature removes it from the Main Menu, from the events page, and from context menus in the investigations page.

When indicators are disabled, the indicator REST APIs return response 400, with the message body:

{
    "failed": true,
    "message": "The indicators feature is not enabled."
}

Affected APIs

  • /rest/indicator
  • /rest/indicator_by_value
  • /rest/indicator_artifact
  • /rest/indicator_artifact_timeline
  • /rest/indicator_stats_indicator_count
  • /rest/indicator_stats_top_labels
  • /rest/indicator_stats_top_types
  • /rest/indicator_stats_top_values
  • /rest/ioc
  • /rest/indicator_common_container

See REST Indicators.

Toggle the Indicators feature

To disable Indicators:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Run the set_preference command.
    phenv set_preference --indicators no

To enable Indicators:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Run the set_preference command.
    phenv set_preference --indicators yes

It can take as much as five minutes for the indicators feature to be hidden or to show from the Splunk Phantom UI after the set_preference command has been run.

Delete audit logs

Downloading Audit logs could take a long time because all the records were loaded into memory before being written to a file. In version 4.8, audit logs have been changed to stream records to a file.

An administrator can remove audit logs after they have been manually downloaded and archived by using the delete_audit_logs.pyc script found in /<PHANTOM_HOME>/phantom/bin.

This script will permanently delete audit records from Splunk Phantom. The records cannot be recovered without restoring Splunk Phantom from a backup. Exercise caution when using this script.

delete_audit_logs.pyc arguments

# phenv python delete_audit_logs.pyc-h
usage: delete_audit_logs.py [-h] [--before BEFORE_TIMESTAMP]
                            [--after AFTER_TIMESTAMP]
                            [--categories [CATEGORIES [CATEGORIES ...]]]
                            [--dry-run] [--non-interactive]
                            [--log-level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}]
Argument Description
-h, --help Show this help message and exit.
--before <BEFORE_TIMESTAMP> Records created before this timestamp will be deleted.

Records created after this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.

--after <AFTER_TIMESTAMP> Records created after this timestamp will be deleted.

Records created before this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.

--categories [CATEGORIES [CATEGORIES ...]] Only delete records with the given categories.

Examples of categories: user, container, playbook, administration, artifact.

--dry-run Do not run the DELETE queries. Use this argument to test your parameters before running the script for real.
--non-interactive Do not block on user input. This flag is suitable for running as part of an unsupervised script.
--log-level {NOTSET, DEBUG, INFO, WARNING, ERROR, CRITICAL} Set the log level. Default level is WARNING.

Examples

Test script parameters by using the --dry-run option first.

Delete all audit logs from before July 2019:

sudo phenv python delete_audit_logs.pyc --before 2019-07-01

Delete audit logs between July 1 and December 1 2019:

sudo phenv python delete_audit_logs.pyc --after 2019-07-01 --before 2019-12-01
Last modified on 07 September, 2021
Define tasks using workbooks   Use data retention strategies to schedule and manage your database cleanup

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters