Splunk® Phantom

Use Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Create custom lists for use in Splunk Phantom playbooks

A custom list is a collection of values that you can use in a Splunk Phantom playbook, such as a list of banned countries, or denied or allowed IP addresses. In your Filter and Decision blocks, compare parameters against all the values in a custom list, rather than having to configure each comparison in the playbook.

Create a custom list in Splunk Phantom

Perform the following steps to create a custom list:

  1. From the Phantom main menu, select Playbooks.
  2. Click the Custom Lists tab.
  3. Click + List to create a new list.
  4. Enter a name for the list.
  5. Enter the list values in the table using one value per line. For example, you can create a list of banned countries, or denied or allowed IP addresses.
  6. Click Save Changes.

See Example of using a custom list in a filter for an example of how to use a custom list in a playbook.

Create a custom list using the REST API

See REST Lists in the Splunk Phantom REST API Reference for information about how to manage custom lists using the REST API.

Export a custom list for use with third party products and services

You can use the REST API to export a custom list for use as an external deny list with third party products and services. For example, you can publish a list of banned IP addresses that can be used in your Palo Alto Networks firewall products.

Perform the following tasks to export a Splunk Phantom custom list and use it in a third party product.

  1. Review the formatting requirements that your third party product or service has for custom lists. For example, Palo Alto Networks products may have specific formatting requirements for their dynamic lists. Review these requirements so that the formatting in your Splunk Phantom custom lists match these formatting requirements of your third party product or service.
  2. Provide a URI to the custom list in Splunk Phantom using the following format:
    https://username:password@[phantom server]/rest/decided_list/[list name]/formatted_content?_output_format=csv

    For example, to provide a URI to the Splunk Phantom server phantomserver.example.com, using admin as the user and password as the password, and a custom list named blockdomains:

    https://admin:password@phantomserver.example.com/rest/decided_list/blockdomains/formatted_content?_output_format=csv
Last modified on 10 June, 2020
PREVIOUS
Create Executive Summary reports and view all reports in Splunk Phantom
  NEXT
Create playbooks to automate analyst workflows in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom: 4.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters