Welcome to Splunk Phantom 4.9
If you are new to Splunk Phantom, read About Splunk Phantom in the Use Splunk Phantom manual to learn how you can use Splunk Phantom for security automation.
Begin your Splunk Phantom installation by reviewing the following documentation:
- Known issues in this release of Splunk Phantom
- How can Splunk Phantom be installed? in the Install and Upgrade Splunk Phantom manual.
- General system requirements in the Install and Upgrade Splunk Phantom manual.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk Phantom, read Prepare your Splunk Phantom deployment for upgrade in the Install and Upgrade Splunk Phantom manual.
Splunk Phantom requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading Splunk Phantom.
The upgrade from Splunk Phantom 4.8 to version 4.9 requires upgrading PostgreSQL from version 9.4 to version 11.6.
Because of this update, the upgrade process has changed significantly for the following deployment types:
unprivileged deployments, deployments where the PostgreSQL database is external to the Splunk Phantom instance, and all clustered deployments.
If your deployment of Splunk Phantom uses an externalized PostgreSQL database (or database cluster), you must upgrade the PostgresSQL database to version 11.6 before you upgrade your Splunk Phantom instance or cluster. See Splunk Phantom upgrade overview and prerequisites.
End of support for CentOS 6 and Red Hat Enterprise Linux 6
Splunk Phantom 4.9 is the final release that supports CentOS version 6 and Red Hat Enterprise Linux version 6. Both CentOS 6 and Red Hat Enterprise Linux will reach End of Life on November 30, 2020.
Customers are encouraged to migrate to CentOS 7 or Red Hat Enterprise Linux 7 or newer in order to use future releases of Splunk Phantom.
Important component changes for Splunk Phantom 4.9
Both the PostgreSQL and GlusterFS components have been upgraded to newer versions in this release.
- PostgreSQL updated to version 11.6
- PostgreSQL 9.4 reached End of Life in February of 2020
- GlusterFS updated to version 7.5
- GlusterFS 4.1.6 reached End of Life in November of 2019
Changing these components changes the order of the Splunk Phantom platform upgrade process. See Splunk Phantom upgrade overview and prerequisites in the Install and Upgrade Splunk Phantom manual.
What's new in 4.9
This release of Splunk Phantom includes the following enhancements.
|New Feature or Enhancement||Description|
|Admin user and licensing||The built-in user account for the automation user and the admin user don't count against a seat-based license. New automation users don't count against a seat-based license. Users assigned the admin role still count against a seat-based license. See Seat-based license in Administer Splunk Phantom.|
|Custom function enhancements||Use custom functions to expand the functionality of your playbooks in Splunk Phantom. Custom functions enable you to use your Python skills to expand the kinds of processing performed in a playbook, such as applying string transformations, parsing a raw data input, or calling a third party Python module. Custom functions can also interact with the REST API in a customizable way. You can share custom functions across your team and across multiple playbooks to increase collaboration and efficiency. The following improvements have been made to custom functions:
For more information, see Add custom code to your Splunk Phantom playbook with the custom function block in the Automate Workflows with Splunk Phantom Playbooks manual.
|Python 2 and Python 3 default behavior change||
See Platform installation for Python 2 and Python 3 and Tutorial: Use the app wizard to develop an app framework in Develop Apps for Splunk Phantom.
|Action lock||You can modify the concurrent action limit to run concurrent actions on a new or existing asset. Use the global action concurrency limit to designate the maximum number of concurrent actions across all assets on the Splunk Phantom platform. See Set the concurrent action limit and Set the global action concurrency limit in Administer Splunk Phantom.|
|Images and markdown support in notes|
|Warm standby enhancements||
|Indicator performance improvements||
|REST handlers changes to support Python 2 and Python 3||Splunk Phantom app REST handlers run in a new execution environment to support Python 2 and Python 3 apps. As a result, some REST Handler code may need to change to work in the new environment. If you are using the REST Handler App, you must use version 1.2.36 or newer. See Handling REST requests and Setting your script to recieve REST requests in the Splunk Phantom REST API Reference manual for more information.|
|Removed biased language||As part of an ongoing process across releases, user-facing mentions of the term "whitelist" were changed to "authorized" in the Event Settings section of the Administration page, as well as in the URL for that section. For more information, see Biased Language Has No Place in Tech.|
|User interface changes||
|Importing custom lists||You can now import custom lists. See Create custom lists for use in Splunk Phantom playbooks in the Use Splunk Phantom manual.|
|Per instance Splunk indices support||If you have multiple Splunk Phantom instances in your environment, you can append a custom prefix to the index created on the Splunk platform. Use the custom prefix to create separate indexes for each Splunk Phantom instance, which provides data separation and the ability to correlate each index with the appropriate Splunk Phantom instance. See Define a custom index per Splunk Phantom instance in the Administer Splunk Phantom manual.|
|Toggle artifact dependency when running a playbook||When creating a new event from Investigation, a new toggle option called Artifact Dependency allows you to set whether or not a playbook can run if no artifacts exist in that playbook. To view this option, perform the following tasks:
|phantom.decision API||Use the new phantom.decision API to fix issues with decision blocks in Splunk Phantom when automation runs against a container with no artifacts. The Visual Playbook Editor will automatically convert decision blocks to use phantom.decision when an existing playbook is edited. For decisions using action result datapaths, phantom.decision is more efficient than phantom.condition as the number of action results increases. See decision in the Splunk Phantom Playbook API Reference manual.|
|phantom.collect2 API||The default behavior of the phantom.collect2 API has been updated.
Known issues in this release of Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom: 4.9