Splunk® Phantom (Legacy)

Release Notes

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Welcome to Splunk Phantom 4.9

If you are new to Splunk Phantom, read About Splunk Phantom in the Use Splunk Phantom manual to learn how you can use Splunk Phantom for security automation.

Begin your Splunk Phantom installation by reviewing the following documentation:

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk Phantom, read Prepare your Splunk Phantom deployment for upgrade in the Install and Upgrade Splunk Phantom manual.

Splunk Phantom requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading Splunk Phantom.

The upgrade from Splunk Phantom 4.8 to version 4.9 requires upgrading PostgreSQL from version 9.4 to version 11.6. Because of this update, the upgrade process has changed significantly for the following deployment types: unprivileged deployments, deployments where the PostgreSQL database is external to the Splunk Phantom instance, and all clustered deployments.

If your deployment of Splunk Phantom uses an externalized PostgreSQL database (or database cluster), you must upgrade the PostgresSQL database to version 11.6 before you upgrade your Splunk Phantom instance or cluster. See Splunk Phantom upgrade overview and prerequisites.

End of support for CentOS 6 and Red Hat Enterprise Linux 6

Splunk Phantom 4.9 is the final release that supports CentOS version 6 and Red Hat Enterprise Linux version 6. Both CentOS 6 and Red Hat Enterprise Linux will reach End of Life on November 30, 2020.

Customers are encouraged to migrate to CentOS 7 or Red Hat Enterprise Linux 7 or newer in order to use future releases of Splunk Phantom.

Important component changes for Splunk Phantom 4.9

Both the PostgreSQL and GlusterFS components have been upgraded to newer versions in this release.

  • PostgreSQL updated to version 11.6
    • PostgreSQL 9.4 reached End of Life in February of 2020
  • GlusterFS updated to version 7.5
    • GlusterFS 4.1.6 reached End of Life in November of 2019

Changing these components changes the order of the Splunk Phantom platform upgrade process. See Splunk Phantom upgrade overview and prerequisites in the Install and Upgrade Splunk Phantom manual.

What's new in 4.9

This release of Splunk Phantom includes the following enhancements.

New Feature or Enhancement Description
Admin user and licensing The built-in user account for the automation user and the admin user don't count against a seat-based license. New automation users don't count against a seat-based license. Users assigned the admin role still count against a seat-based license. See Seat-based license in Administer Splunk Phantom.
Custom function enhancements Use custom functions to expand the functionality of your playbooks in Splunk Phantom. Custom functions enable you to use your Python skills to expand the kinds of processing performed in a playbook, such as applying string transformations, parsing a raw data input, or calling a third party Python module. Custom functions can also interact with the REST API in a customizable way. You can share custom functions across your team and across multiple playbooks to increase collaboration and efficiency. The following improvements have been made to custom functions:

For more information, see Add custom code to your Splunk Phantom playbook with the custom function block in the Build Playbooks with the Visual Editor manual.

Python 2 and Python 3 default behavior change
  • Python 3 is now the default runtime environment for both the platform and app development. Playbooks and custom functions are written and run in Python 2.
  • The app development commands and script paths have changed. For example, the command to compile with Python 3 is phenv python /opt/phantom/bin/compile_app.pyc, while the command to compile with Python 2 is phenv python2.7 /opt/phantom/bin/py2/compile_app.pyc.

See Platform installation for Python 2 and Python 3 and Tutorial: Use the app wizard to develop an app framework in Develop Apps for Splunk Phantom.

  • phenv now replaces some standalone Splunk Phantom scripts previously in the $PHANTOM_HOME/bin. For example, phenv $PHANTOM_HOME/bin/reindex_section.pyc --section docs should now be used as phenv reindex_section --section docs. For a full list of supported phenv commands, use phenv help.
Action lock You can modify the concurrent action limit to run concurrent actions on a new or existing asset. Use the global action concurrency limit to designate the maximum number of concurrent actions across all assets on the Splunk Phantom platform. See Set the concurrent action limit and Set the global action concurrency limit in Administer Splunk Phantom.
Images and markdown support in notes
  • You can add inline images to notes. See Create a note in Use Splunk Phantom.
  • Notes created in 4.9 and above will now support markdown for a wide variety of text formatting. See Using HTML and markdown in notes in Use Splunk Phantom.
Warm standby enhancements
  • You can reset the standby's database in order to reuse warm standby machines.
  • Splunk Phantom encryption information is now synced between the primary and standby instances, so cloning your machine may not be necessary.
  • You can automate script invocation for your warm standby configuration. See Warm standby script arguments in Administer Splunk Phantom.
Indicator performance improvements
  • Viewing a single indicator's data within a context menu on the investigation page of an event is up to 340 times faster than before.
  • New CEF filter settings in Administration allow you to define which CEF keys create indicator records.
  • Splunk Phantom now creates and manages a series of Postgres materialized views to power the indicator listing page.
    • Improved UI performance of up to 20 times on the indicator listing page and other related pages.
    • Materialized views have a data impact on the system, and all indicators created within the last two years will be stored twice in the database.
    • Views are now refreshed periodically by cron jobs.
REST handlers changes to support Python 2 and Python 3 Splunk Phantom app REST handlers run in a new execution environment to support Python 2 and Python 3 apps. As a result, some REST Handler code may need to change to work in the new environment. If you are using the REST Handler App, you must use version 1.2.36 or newer. See Handling REST requests and Setting your script to recieve REST requests in the REST API Reference for Splunk Phantom manual for more information.
Removed biased language As part of an ongoing process across releases, user-facing mentions of the term "whitelist" were changed to "authorized" in the Event Settings section of the Administration page, as well as in the URL for that section. For more information, see Biased Language Has No Place in Tech.
Performance improvements
  • Pages now load faster across the product.
  • REST API performance has also been improved.
User interface changes
  • The Owner and Status fields were moved back to the header of an event.
  • Fewer clicks are needed to complete a task.
Importing custom lists You can now import custom lists. See Create custom lists for use in Splunk Phantom playbooks in the Use Splunk Phantom manual.
Per instance Splunk indices support If you have multiple Splunk Phantom instances in your environment, you can append a custom prefix to the index created on the Splunk platform. Use the custom prefix to create separate indexes for each Splunk Phantom instance, which provides data separation and the ability to correlate each index with the appropriate Splunk Phantom instance. See Define a custom index per Splunk Phantom instance in the Administer Splunk Phantom manual.
Toggle artifact dependency when running a playbook When creating a new event from Investigation, a new toggle option called Artifact Dependency allows you to set whether or not a playbook can run if no artifacts exist in that playbook. To view this option, perform the following tasks:
  1. From Investigation, click +Event.
  2. Click Advanced to expand the advanced options.
  3. Set the Artifact Dependency toggle as desired.
phantom.decision API Use the new phantom.decision API to fix issues with decision blocks in Splunk Phantom when automation runs against a container with no artifacts. The Visual Playbook Editor will automatically convert decision blocks to use phantom.decision when an existing playbook is edited. For decisions using action result datapaths, phantom.decision is more efficient than phantom.condition as the number of action results increases. See decision in the Python Playbook API Reference for Splunk Phantom manual.
phantom.collect2 API The default behavior of the phantom.collect2 API has been updated.
  • If an action result object is missing a 'summary' key, then a summary key will be added with a default value of an empty dict. For example 'summary': {},. In earlier releases, if an action result was missing a summary key, collect2 would always fail and return [].
  • Action results that do not contain a 'name' key are ignored and will not be collected over if collect2 is given a named action result datapath, for example geolocate_ip_1:action_result.data.*.latitude. In earlier releases, if an action result was missing a name key and one of the provided datapaths was a named action result datapath, collect2 would always fail and return [].
Improved the phsvc --help command Running /opt/phantom/bin/phsvc --help now produces a list of Splunk Phantom services.
Updated /rest/decided_list/. Playbook API /rest/decided_list/ now supports 'txt' as an output format. See: REST Lists in the REST API Reference for Splunk Phantom.
The ibackup tool now supports file-system only backups. There is a new --fs-only flag available for ibackup. Deployments in AWS which use an RDS PostgreSQL database can use this in conjunction with RDS's automatic backups to backup their Splunk Phantom deployment. See Splunk Phantom backup tools in Administer Splunk Phantom.
App code change for Django templates Apps can no longer use the unsupported method of adding custom Django templatetags to render Phantom webserver results. Instead, apps should use the supported method of creating a custom view. See Use custom views to render results in your app in Develop Apps for Splunk Phantom.
Last modified on 19 February, 2021
  Known issues in this release of Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters