Create custom lists for use in Splunk Phantom playbooks
A custom list is a collection of values that you can use in a Splunk Phantom playbook, such as a list of banned countries, or denied or allowed IP addresses. In your Filter and Decision blocks, compare parameters against all the values in a custom list, rather than having to configure each comparison in the playbook.
Create a custom list in Splunk Phantom
Perform the following steps to create a custom list:
- From the Phantom main menu, select Playbooks.
- Click the Custom Lists tab.
- Click + List to create a new list.
- Enter a name for the list.
- Enter the list values in the table using one value per line. For example, you can create a list of banned countries, or denied or allowed IP addresses.
- Click Save Changes.
See Example of using a custom list in a filter for an example of how to use a custom list in a playbook.
Create a custom list using the REST API
See REST Lists in the Splunk Phantom REST API Reference for information about how to manage custom lists using the REST API.
Export a custom list for use with third party products and services
You can use the REST API to export a custom list for use as an external deny list with third party products and services. For example, you can publish a list of banned IP addresses that can be used in your Palo Alto Networks firewall products.
Perform the following tasks to export a Splunk Phantom custom list and use it in a third party product.
- Review the formatting requirements that your third party product or service has for custom lists. For example, Palo Alto Networks products may have specific formatting requirements for their dynamic lists. Review these requirements so that the formatting in your Splunk Phantom custom lists match these formatting requirements of your third party product or service.
- Provide a URI to the custom list in Splunk Phantom using the following format:
https://username:password@[phantom server]/rest/decided_list/[list name]/formatted_content?_output_format=csv
For example, to provide a URI to the Splunk Phantom server phantomserver.example.com, using admin as the user and password as the password, and a custom list named blockdomains:
Create Executive Summary reports and view all reports in Splunk Phantom
Create playbooks to automate analyst workflows in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom: 4.8