Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Create custom lists for use in Splunk Phantom playbooks

A custom list is a collection of values that you can use in a Splunk Phantom playbook, such as a list of banned countries, or blocked or allowed IP addresses. Custom lists are used to save information in a visual format that can be used to make decisions or track information about playbooks. In your Filter and Decision blocks, compare parameters against all the values in a custom list, rather than having to configure each comparison in the playbook.

Create or import a custom list in Splunk Phantom

Perform the following steps to create a custom list:

  1. From the Splunk Phantom main menu, select Playbooks.
  2. Click the Custom Lists tab.
  3. Click + List to create a new list.
  4. Enter a name for the list.
  5. Enter the list values in the table using one value per line. For example, you can create a list of banned countries, or blocked or allowed IP addresses.
  6. Click Save Changes.

Perform the following steps to import a custom list:

  1. Click on the import button.
  2. Enter a name for the list.
  3. Select a custom list file. You can upload either .csv or .tsv files. Custom lists have a 2GB limit.
  4. Click Upload.

See Example of using a custom list in a filter in Build Playbooks with the Visual Editor for an example of how to use a custom list in a playbook.

Create a custom list using the REST API

See REST Lists in the REST API Reference for Splunk Phantom for information about how to manage custom lists using the REST API.

Export a custom list for use with third party products and services

You can use the REST API to export a custom list for use as an external blacklist with third party products and services. For example, you can publish a list of banned IP addresses that can be used in your Palo Alto Networks firewall products.

Perform the following tasks to export a Splunk Phantom custom list and use it in a third party product.

  1. Review the formatting requirements that your third party product or service has for custom lists. For example, Palo Alto Networks products may have specific formatting requirements for their dynamic lists. Review these requirements so that the formatting in your Splunk Phantom custom lists match these formatting requirements of your third party product or service.
  2. Provide a URI to the custom list in Splunk Phantom using the following format:
    https://username:password@[phantom server]/rest/decided_list/[list name]/formatted_content?_output_format=csv

    For example, to provide a URI to the Splunk Phantom server phantomserver.example.com, using admin as the user and password as the password, and a custom list named blockdomains:

    https://admin:password@phantomserver.example.com/rest/decided_list/blockdomains/formatted_content?_output_format=csv
Last modified on 02 December, 2020
Create Executive Summary reports and view all reports in Splunk Phantom   Overview of containers

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters