Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Log in and navigate Splunk Phantom

The Phantom web interface requires a browser with HTML 5, SVG graphics and current TLS support. See Supported browsers in Install and upgrade Splunk Phantom.

To access the Phantom web interface, perform the following tasks:

  1. Enter the IP address you configured for your virtual appliance, or the DNS name if you created one for the IP address.
  2. Enter your login credentials. The default administrative user is admin and the password is password.

The Splunk Phantom home page shows graphs and statistics that are useful for users managing incidents and actions.

Access Account Settings

Click your account name and select Account Settings to access your account settings.

The default admin account on a Splunk Phantom instance is a local account. Local accounts only exist in the database for the Splunk Phantom web interface and can't be used to log into the operating system or any external authentication server.

Each account must have at least one email address associated with it. Splunk Phantom uses this email address as part of the approval process workflow.

Splunk Phantom also supports single sign-on authentication from various identity providers. For more information, see Configuring single sign-on authentication for Splunk Phantom in the Administer Splunk Phantom manual.

Account Settings

You can configure various settings through the account settings page. Use this page to configure user settings, notifications, change your password, and register a mobile device.

User Settings

For LDAP users, First Name, Last Name, Title, and Location are pulled from LDAP and automatically filled in, so you cannot edit those. The email field is also pulled from LDAP if it exists, but it's editable in case you want to receive email elsewhere, and because the email field in Phantom is critical for sending email notifications.

For a local account, the primary email is the username you log in with. You can change it at any time, but you must use the new email address the next time you log in. Your current login session continues until you log out, your session expires, or you switch browsers or machines.


You receive email notifications when the status of an incident changes or when an incident is about to expire. You can configure your notification settings to meet your needs.

You can view Splunk Phantom notifications on your mobile device using the Splunk Mobile app. See View a notification to learn how to view Splunk Phantom notifications on your mobile device.

Some notification types are not implemented. For example, there is not yet an incident watchlist, so the "Incident on watchlist changed" notification does not do anything in the current version of Splunk Phantom. Also, privileges have not yet been implemented on notifications, so users with no particular roles can opt to see notifications for All Incidents.

Change Password

Only local users will see the Change Password tab. LDAP users will need to change their password on the Active Directory or other LDAP server that they are using to log into Phantom. For a local user to change their password, they enter their current password in the appropriate field, and enter the new password twice (since it will be showing asterisks instead of what they typed), and then they click the Change Password button. Password complexity settings may be adjusted in the Account Security tab under User Management (Administration section).

Mobile device registration

Contact a Splunk Phantom admin to enable mobile device registration so that you can register your mobile device and get started with the Splunk mobile apps. You can register multiple devices, but one device cannot be registered to multiple users.


An admin must enable the mobile feature on your Phantom instance. See Enable mobile device registration with Splunk Phantom in the Administer Splunk Phantom manual.


  1. Download Splunk Mobile onto your mobile device and install it.
    See Download Splunk Mobile for iOS or Download Splunk Mobile for Android to download the Splunk Mobile app.
  2. On your mobile device, tap the gear icon to get to the Settings page.
  3. Tap manage instances in the Settings page.
    A pop-up opens.
  4. Tap the word edit in the pop-up.
  5. Tap the Register button in the pop-up. The 10-digit code appears on the mobile device.
  6. From your Splunk Phantom account settings menu in the Splunk Phantom instance click on Name > Account Settings > Mobile Device Registration:
    1. Enter the 10-digit code from the mobile device into the activation code fields.
    2. Enter a name for the device in the device name field.
    3. Click Register.
    4. A confirmation code pop-up window appears. If this matches the confirmation code on the mobile device, then login with your Splunk Phantom instance credentials, and click Continue.
  7. To add additional devices, click + New Device and follow the previous steps again.

Your registered devices display in a table. These are the devices that will receive push notifications from Splunk Phantom for approvals, prompts, manual tasks, and workbook tasks.

When you no longer want access to the mobile app from a particular mobile device, you can unregister from the app itself or you can do the following to unregister the device on Splunk Phantom:

  1. Locate the device by name or by type in the table.
  2. In the Action column, click remove.
  3. Confirm at the prompt by clicking remove.

It is also possible for a Splunk Phantom admin to unregister your mobile device. If an admin unregisters your device, it will disappear from your account settings. If an admin deletes your user account, you will no longer be able to access Splunk Phantom through the mobile app.

View Splunk Phantom product documentation

Users can set a default choice for viewing documentation. The default is Online, which means that the documentation links in the platform go to docs.splunk.com. Offline means that the documentation links in the platform go to a local copy of the docs in PDF format.

Online docs are continuously updated and include the most recent changes and improvements to the Splunk Phantom documentation. You can create an offline copy of the docs at any time using the Download manual as PDF link on the page at docs.splunk.com.

To change the default view to Offline, complete the following steps:

  1. Navigate to the main menu.
  2. Select Documentation.
  3. Click Offline.
Last modified on 07 February, 2020
Who should read this manual?   Start with Investigation in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters