Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom

You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk Phantom. The notable events appear as artifacts in Splunk Phantom. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.

Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk Phantom:

1. In Splunk Web, navigate to the Splunk Enterprise Security app.
2. Click the Incident Review tab.
3. From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
4. Click the drop-down arrow in the Actions column for a notable event.
5. Click Run Adaptive Response Actions.
6. In the Adaptive Response Actions dialog, click Add New Response Actions. Then click either Send to Phantom or Run Playbook in Phantom. Send to Phantom sends an artifact to Splunk Phantom, while Run Playbook in Phantom sends an artifact to Splunk Phantom while running a playbook.
7. In the menu that appears, select the Splunk Phantom instance, playbook (if applicable), and the sensitivity and severity for your event.
8. (Optional) Label the event. Your label must match a label that exists on the Splunk Phantom server. Labels on the Splunk Phantom server include the default label events along with any custom labels created by Splunk Phantom users. See Troubleshoot the Phantom App for Splunk for an example search that you can use to verify that you successfully added your label.
9. Click Run.

To view results for your Splunk Phantom instance and playbook, you must run the sync playbooks command from the Splunk Phantom Server Configuration page in the Phantom App for Splunk. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server.