Splunk® Phantom App for Splunk

Install and Upgrade the Splunk Phantom App for Splunk

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server

Configure a Splunk Phantom server so that the Splunk Phantom App for Splunk and the Splunk platform can connect to your Splunk Phantom instance.

To configure a Splunk Phantom server, follow these steps:

  1. Navigate to the Phantom App for Splunk installed on your Splunk platform instance.
  2. Click the Configuration tab.
  3. Click Create Server.
  4. To add a new server, use an authorization token from Splunk Phantom. To get an authorization token, follow these steps:
    1. Navigate to your Splunk Phantom instance.
    2. From the main menu, select Administration.
    3. Select User Management > Users.
    4. Click on the ... icon in the card for any Automation user and select Edit.
    5. Change the Allowed IPs field to reflect the IP address or IP range for the Splunk platform instance.
    6. Copy the text in the Authorization Configuration for REST API box.
    7. Click Save.
  5. Navigate back to the Phantom App for Splunk on your Splunk platform instance and paste the authorization token in the Authorization Configuration box.
  6. Enter an optional name for the server. This will show up later in Splunk Phantom as your container name, so pick a name you can easily identify.
  7. (Optional) Configure a Proxy server.
  8. (Optional) Click Optional: This server will be used for AR Relay if this server will be used in an adaptive response relay configuration. See Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom.
  9. Click Save. A page shows your new server. If you have multiple servers, they are listed on this page.
  10. To test your server, click Manage > Test Connectivity. A success message appears if the server is working correctly.

Do not click Enable debug logging unless directed to do so by Splunk support. Debug logging causes a heavy load on your server.

Synchronize the list of available Splunk Phantom playbooks on your Splunk platform

You can run adaptive response action in Splunk Enterprise Security (ES) to send a notable event to Splunk Phantom and also run a playbook on the resulting artifact. Perform the following tasks to make sure that the list of available Splunk Phantom playbooks is up to date in your Splunk platform. The list of playbooks is maintained in the <SPLUNK_HOME>/etc/apps/phantom/local/phantom.conf file.

  1. Navigate to the Phantom App for Splunk installed on your Splunk platform instance.
  2. Click the Configuration tab.
  3. In the Actions column for the desired server, select Manage > Sync playbooks.

See Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom for more information about running adaptive response actions in Splunk ES.

Last modified on 13 January, 2021
PREVIOUS
Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise
  NEXT
Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.0.10, 4.0.35


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters