Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom
You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk Phantom. The notable events appear as artifacts in Splunk Phantom. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.
Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk Phantom:
- In Splunk Web, navigate to the Splunk Enterprise Security app.
- Click the Incident Review tab.
- From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
- Click the drop-down arrow in the Actions column for a notable event.
- Click Run Adaptive Response Actions.
- In the Adaptive Response Actions dialog, click Add New Response Actions.
- Select the desired response action:
- Click Send to Phantom to send an artifact to Splunk Phantom.
- Click Run Playbook in Phantom to send an artifact to Splunk Phantom while running a playbook.
- In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
Field Required? Description Phantom Instance Required - If you are running a Send to Phantom adaptive response action, select the Splunk Phantom instance you are connecting to.
- If you are running a Run Playbook in Phantom adaptive response action, select the Splunk Phantom instance you are connecting to and playbook you want to run.
Sensitivity Required Sensitivity level for the forwarded event. Severity Required Severity level for the forwarded event. Label Optional Label for the forwarded event. Your label must match a label that exists on the Splunk Phantom server. Labels on the Splunk Phantom server include the default label events along with any custom labels created by Splunk Phantom users. See Troubleshoot the Splunk Phantom App for Splunk for an example search that you can use to verify that you successfully added your label. Worker Set Required The search head or heavy forwarder you want to send the notable events from Splunk ES to Splunk Phantom: - Select local to use the current search head to send notable vents or run playbooks on Splunk Phantom without using adaptive response relay.
- Select the heavy forwarder you want to send notable events or run playbooks on Splunk Phantom when using adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom.
Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.
Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk Phantom. - Click Run.
To view results for your Splunk Phantom instance and playbook, you must run the sync playbooks command from the Splunk Phantom Server Configuration page in the Splunk Phantom App for Splunk. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server.
| Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server | Configure how you want to handle multivalue fields in Splunk ES notable events |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.0.10, 4.0.35
Download manual
Feedback submitted, thanks!