Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Share data from Splunk Phantom

When Splunk Phantom is deployed, the platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Phantom in future releases. You can opt in or opt out of sharing telemetry data.

Enable telemetry by doing the following:

  1. From the main menu, select Administration.
  2. Expand the Product Settings drop-down list.
  3. Click Telemetry.
  4. Toggle the switch to the On position.
  5. Click Confirm.

Disable telemetry by doing the following:

  1. From the main menu, select Administration.
  2. Expand the Product Settings drop-down list.
  3. Click Telemetry.
  4. Toggle the switch to the Off position.
  5. Click Confirm.

How data is collected

Splunk Phantom uses Splunk Web Analytics (swa.js) to collect anonymous usage data. These analytics run in the background regardless of whether you opt in to sending usage data to Splunk. Collecting data affects the Splunk Phantom UI loading in a minimal way. Performance numbers are currently being gathered to compare with a baseline Splunk Phantom system with no telemetry.

What data is collected

Data is collected to measure metrics of the product, assess performance for optimizations, evaluate engagement for roadmaps, and discover client-side errors to inform UI fixes. The metrics do not contain any user-provided values such as username, email, or any URL parameters that are user or customer identifiable. Splunk Phantom collects the following basic usage information:

Name Description Example
app.session.session_start Reports the browser and OS, along with their versions.
data: {
    app: UNKNOWN_APP
    browser: Chrome
    browserVersion: 78.0.3904.97
    device: MacIntel
    locale: en-US
    os: Mac OS X
    osVersion: 10.
    page: UNKNOWN_PAGE
    splunkVersion: not available
}
eventID: d9ca862c-d48d-83a1-d1bb-f0f25f4b5af8
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213029
visibility: anonymous
app.session.phantom.pageview Reports which pages are visited by users.
data: {
   app: phantom
   page: admin.company_settings.info
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6
experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d
optInRequired: 3
timestamp: 1574210581565
visibility: anonymous
app.session.phantom.error Reports uncaught errors of front-end Splunk Phantom scripts.
data: {
   app: phantom
   errorMsg: Uncaught ReferenceError: helloworld is not defined
   file: /inc/swa/swa_enabled.js
   page: admin.product_settings.telemetry
   position: 74:1
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 94efce66-ab89-33ae-f894-1cceb8f68f78
experienceID: 239facf6-261d-dd96-be08-33870c7d3750
optInRequired: 3
timestamp: 1574294947704
visibility: anonymous
app.session.phantom.apiTime Reports roundtrip time consumption for each API request.
data: {
    app: phantom
    endpoint: /rest/ph_user/3/permissions
    method: get
    page: UNKNOWN_PAGE
    status: 200
    time: 150
    phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
    phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213030362
visibility: anonymous
app.session.phantom.viewTime Reports time spent on a specific page. Only tracked for specific pages.
data: {
   app: phantom
   page: reports
   viewTime: 10223
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 545fdcfb-ac0d-a11b-da6a-4b9da84b6c2a
experienceID: 85b49544-fb90-a2ef-1b3f-e09339f3abc1
optInRequired: 3
timestamp: 1573690198763
visibility: anonymous
app.session.phantom.license Reports license status, limits, and usage information. Sent once per session.
data: {
   app: phantom
   expirationDate: 1576800000000
   issueDate: 1575504000000
   limits: {
      actions: 50
      events: 75
      tenants: 250
      users: 5
   }
   page: UNKNOWN_PAGE
   type: standard
   usage: {
      recentAppRunCount: 5
      recentDebugRunCount: 5
      recentPlaybookRunCount: 1
   }
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 5854bede-18d9-5a88-d023-e698dab1afaf
experienceID: 31a418cc-1371-c58a-a0b8-dc87638b126f
optInRequired: 3
timestamp: 1575656115189
visibility: anonymous
app.session.phantom.systemSettings Reports the feature on/off settings and product version.
component: app.session.phantom.systemSettings
data: {
   app: phantom
   isClusteringEnabled: false
   isMultiTenantEnabled: false
   numOfClusterNodes: 0
   page: UNKNOWN_PAGE
   productVersion: 10900.0.5
   nodeGUID: dca36837-3e10-4cbd-bf14-b49097b84347
   searchConfig: {
     isElasticSearchEnabled: false
     searchLocation: local
     searchType: standalone
   }
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
Last modified on 03 February, 2020
Warm standby tools  

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters