Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.

Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR

Adaptive response relay allows adaptive response actions to queue on a heavy forwarder before they sent to Splunk Phantom or Splunk SOAR. For example, you can use adaptive response relay to schedule a time when resources are more available to send notable events from Splunk Enterprise Security (ES) or Splunk Cloud to Splunk Phantom or Splunk SOAR.

How adaptive response relay sends notable events from Splunk ES to Splunk Phantom or Splunk SOAR

The search head receives the Splunk Phantom server or Splunk SOAR information and playbooks from the heavy forwarder. The heavy forwarder receives the adaptive response actions form the search head.

This screen image shows how to use a search head and heave forwarder to set up adaptive response relay to send notable events from Splunk ES to Splunk Phantom. The description of the setup follows immediately after the image.

To get started, perform the following tasks:

  1. On the search head where you already have Splunk ES and the Splunk Phantom App for Splunk installed
    1. Obtain and install the Lookup File Editor on Splunkbase.
    2. In the Lookup File Editor app, click on cam_workers.csv and verify that the worker set is hf1 and cam_workers is set to ["hf1"]. Change the value accordingly if they are not.
  2. Install a Splunk heavy forwarder. On the heavy forwarder:
    1. install Splunk ES and the Splunk Phantom App for Splunk (this add-on).
    2. Rename the heavy forwarder server to hf1.

Set up adaptive response relay on your Splunk instances

Configure the heavy forwarder and search head to be able to exchange data with each other.

  1. On the search head, go to https://<yoursplunkserver>/en-US/splunkd/__raw/alerts/modaction_queue/key and record the API key.
  2. On the search head, follow the instructions in Configure your Splunk Cloud ES search head with an API key in the Administer Splunk Enterprise Security manual.
  3. On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarded with an API key in the Administer Splunk Enterprise Security manual.
  4. If you are using Splunk Enterprise, perform the following steps to set up forwarding from the heavy forwarder to Splunk Enterprise. If you are using Splunk Cloud Platform, follow the instructions in How to forward data to Splunk Cloud Platform in the Splunk Universal Forwarder Forwarder Manual to set up forwarding from the heavy forwarder to Splunk Cloud Platform.
    1. On the indexer, set up the receiving port:
      1. In Splunk Web, go to Settings > Forwarding and receiving.
      2. In the Receive data section, click + Add new.
      3. Enter 9997 in the Listen on this port field to set up port 9997 as the receiving port.
      4. Click Save.
    2. On the heavy forwarder, set up forwarding to the indexers:
      1. In Splunk Web, go to Settings > Forwarding and receiving.
      2. In the Configure forwarding section, click + Add new.
      3. In the Host field, enter the IP address and port number (9997) of the indexer. For example:
        192.168.11.12:9997
      4. Click Save.
  5. On the heavy forwarder, follow the instructions in Configure your on-premises heavy forwarder with a modular action relay in the Administer Splunk Enterprise Security manual to set up a modular action relay.
  6. On the search head, follow the instructions in Configure your Splunk Cloud ES search head with a modular action worker in the Administer Splunk Enterprise Security manual to set up the Lookup File Editor and add a cam_worker.
  7. On both the search head and heavy forwarder, add an action response configuration in the Splunk Phantom App for Splunk.
    1. Navigate to the Splunk Phantom App for Splunk.
    2. Click on the Configurations tab.
    3. Click and expand the Alert Action Configuration section.
    4. Click Add Alert Action Configuration to create a new configuration.
    5. Give the configuration a name, and specify the credentials to the heavy forwarder.
    6. Click Save.

Synchronize adaptive response relay data between the heavy forwarder and search head

Perform the following tasks so that data between the Splunk instances is synchronized.

  1. Perform the following tasks on the heavy forwarder:
    1. Navigate to the Splunk Phantom App for Splunk.
    2. Click the Configurations tab.
    3. In the ES - Adaptive Response Relay section, click Push Relay Data (on HF). This causes the heavy forwarder to read the phantom.conf file and obtain the server configs that are marked for adaptive response relay and playbook configurations and push this data to the search head. Any events containing the corresponding data are also pushed to the search head. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server for information about how to mark a server to be used for adaptive response relay.
  2. Perform the following tasks on the search head:
    1. Navigate to the Splunk Phantom App for Splunk.
    2. Click the Configurations tab.
    3. In the ES Adaptive Response - Relay section, click Poll Relay Data (on SH). This causes the search head to run the following search and obtain the server configurations and playbooks:

      index=main source=*/var/log/splunk/phantom_ar_relay.log

Only the most recent 1,000 playbooks can be obtained using adaptive response relay.

Last modified on 13 October, 2021
Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR   Synchronize workbooks across multiple Splunk Phantom servers

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters