Splunk® Phantom (Legacy)

Develop Apps for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Frequently asked questions

Select one of the following frequently asked questions:

How do I handle Python module dependencies for my app?

You can manage dependencies on Python modules by packaging the required modules with the app, or by adding PIP dependencies in the app JSON.

When an action is executed, the platform adds the following directories to the PYTHONPATH environment:

  • /opt/phantom/lib
  • /opt/phantom/www
  • /opt/phantom/apps/[app_install_directory]
  • /opt/phantom/apps/[app_install_directory]/dependencies

Package required modules with the app

Place all required modules as part of the app TAR file. You can do this in the following ways:

  • Install the modules into a sub directory of the app. PIP supports the --target command line switch that allows the modules to be installed at a specific location. Use this switch to install the modules into the app's subdirectory called dependencies. When the app TAR file is installed on the platform the modules will be part of the app code.
  • Distribute the complete module, including the source and license file, in a sub directory of the app. In this case the app will need to append any folders in the PYTHONPATH it self.

The platform will install all the files present in the app TAR file in the app install directory. Be careful while packaging modules this way. Many Python modules are released under various licenses. Make sure the license allows for such redistribution. Packaging modules this way makes the app self-sufficient.

Add PIP dependencies in the app JSON

Specify app dependencies in the app JSON so that the platform tries to install the dependencies with the app. See Specifying pip dependencies for more information.

How do I generate test JSON for debugging?

To generate test JSON to use for debugging with pudb, leverage an actual action run log. The idea is to first code enough about the action such as name, parameters, and so on so that the action can be executed from the UI. See the following steps for more information:

  1. Configure the debug logging to WARNING for all the daemons. This limits the amount of content logged so that it is easier to spot the specific log of interest. See Configure the logging level for each Splunk Phantom daemon in Administer Splunk Phantom for instructions.
  2. Run the action from the Splunk Phantom web interface. For example, you can test the connectivity of an asset.
  3. Open the /var/log/phantom/spawn.log file as the root user.
  4. Search for the string 'READ MESSAGE.*test connectivity.*app_config and go to the last occurrence of the matched line. For example:
    2879 May 13 02:01:44 localhost SPAWN[17613]: IPC_MESSAGES: READ MESSAGE: {"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
  5. Copy this line and paste it in a new file. Remove all the text up until the first occurrence of the opening bracket character, so that it looks like the following, where only the JSON remains:
    {"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
  6. If you are using the vim editor, run the following command after opening the file in vim:
    :%!phenv python -m json.tool
    This command reformats the JSON into a more readable format.

You can use this file as the input test JSON.

Last modified on 10 August, 2020
Tutorial: Use the app wizard to develop an app framework   Table Template

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters