Splunk® Phantom (Legacy)

Administer Splunk Phantom

Create custom CEF fields in Splunk Phantom

Splunk Phantom uses the Common Event Format (CEF). CEF is a system of key-value pairs for important pieces of information about an artifact.

An artifact might have several key pieces of information such as sourceAddress, sourcePort, destinationAddress, destinationPort, and a timestamp. Each of these is stored in a field.

You can only have one of each CEF field per artifact. For example, you cannot have more than one sourceAddress per artifact. If you have a data set that includes multiple sourceAddress entries, separate those into multiple artifacts. Each of those artifacts can be placed in the same container.

You can extend or customize CEF to meet your organization's needs by adding custom CEF fields, and then using these fields in Investigation, add them to artifacts with the REST API, or using them in playbooks.

When an artifact is edited from Investigation, values set for a custom CEF appear as indicators. You can view these indicators by selecting Indicators in the main menu.

You can add, delete, or modify a custom CEF using the REST API.

Create a custom CEF field

Perform the following steps to create a custom CEF field:

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click + CEF.
  4. Type a name for your customized CEF.
  5. (Optional) Select a data type for the field from the dropdown list.

Available choices are prepopulated with all enabled Apps actions. You can add your own data type or leave the data type blank. Leaving this blank allows users to enter a value while editing the artifact in Mission Control.

  1. Click Save.

Modify a custom CEF field

Perform the following steps to modify a custom CEF field:

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click the edit icon to the right of the CEF name.
  4. Make the desired changes.
  5. Click Save.

Delete a custom CEF field

Perform the following steps to delete a custom CEF field:

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > CEF.
  3. Click the ⓧ icon to the right of the custom CEF field name.

Deleting a custom CEF does not remove it from existing artifacts that have the field applied.

Last modified on 22 January, 2020
Add tags to objects in Splunk Phantom   Reset the admin and root passwords in

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters