Splunk® Phantom App for Splunk

Install and Upgrade the Splunk Phantom App for Splunk

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom

You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk Phantom. The notable events appear as artifacts in Splunk Phantom. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.

Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk Phantom:

  1. In Splunk Web, navigate to the Splunk Enterprise Security app.
  2. Click the Incident Review tab.
  3. From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
  4. Click the drop-down arrow in the Actions column for a notable event.
  5. Click Run Adaptive Response Actions.
  6. In the Adaptive Response Actions dialog, click Add New Response Actions. Then click either Send to Phantom or Run Playbook in Phantom. Send to Phantom sends an artifact to Splunk Phantom, while Run Playbook in Phantom sends an artifact to Splunk Phantom while running a playbook.
  7. In the menu that appears, select the Splunk Phantom instance, playbook (if applicable), and the sensitivity and severity for your event.
  8. (Optional) Label the event. Your label must match a label that exists on the Splunk Phantom server. Labels on the Splunk Phantom server include the default label events along with any custom labels created by Splunk Phantom users. See Troubleshoot the Phantom App for Splunk for an example search that you can use to verify that you successfully added your label.
  9. Click Run.

To view results for your Splunk Phantom instance and playbook, you must run the sync playbooks command from the Splunk Phantom Server Configuration page in the Phantom App for Splunk. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server.

Last modified on 13 January, 2021
PREVIOUS
Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server 		  NEXT
Backup and restore configuration files for Splunk Phantom App for Splunk

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 2.7.5, 3.0.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters