Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.

Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR

Configure a Splunk Phantom server so that the Splunk Phantom App for Splunk and the Splunk platform can connect to your Splunk Phantom or Splunk SOAR instance.

To configure a Splunk Phantom server, follow these steps:

  1. Before you begin, make sure you have added the required roles to the admin user. See Enable Splunk platform users to use the Splunk Phantom App for Splunk.
  2. (Optional) If you have not configured certificates for Splunk Phantom and the Splunk platform, you must disable HTTP validation on the Splunk Platform. Perform the following steps:
    1. Run the following command and provide the proper username, password, and splunkaddress:
      curl -ku '<username>:<password>' https://<splunkaddress>:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs?output_mode\=json -d value=0
    2. Return to the Phantom Server Configuration page and verify that the HTTPS certificate verification is disabled message appears with a warning icon.
  3. Navigate to the Phantom App for Splunk installed on your Splunk platform instance.
  4. Click the Configurations tab.
  5. Click Create Server.
  6. To add a new server, use an authorization token from Splunk Phantom or Splunk SOAR. To get an authorization token, follow these steps:
    1. Navigate to your Splunk Phantom or Splunk SOAR instance.
    2. From the main menu, select Administration.
    3. Select User Management > Users.
    4. You can either use the default automation user and change the allowed IP addresses, or create a new automation user. In this example we will create a new automation user. Click + User to create a new automation user.
    5. Update the Allowed IPs field to reflect the IP address or IP range for the Splunk platform instance.

      Do not use any unless you are troubleshooting or testing.

    6. Click Create to create the user.
    7. On the Users page, click on the ellipsis (...) icon for the new automation user and click Edit.
    8. Copy the text in the Authorization Configuration for REST API box.
    9. Click Save.
  7. Navigate back to the Phantom App for Splunk on your Splunk platform instance and paste the authorization token in the Authorization Configuration box. Verify that the format of the object looks like the following example:
    {
      "ph-auth-token": "*********",
      "server": "https://10.1.65.229"
    }
    
  8. Enter an optional name for the server. This will show up later in Splunk Phantom or Splunk SOAR as your container name, so pick a name you can easily identify.
  9. (Optional) Configure a Proxy server. For example:
    • An example HTTP proxy in the format http://[<username>[:password]@]<host>[:<port>]. For example:
      http://172.31.225.254:8080
    • An example HTTPS proxy in the format https://[<username>[:password]@]<host>[:<port>]. For example:
      https://username:password@proxy.host.com:8080
  10. (Optional) Click Optional: This server will be used for AR Relay if this server will be used in an adaptive response relay configuration. See Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR.
  11. Click Save. A page shows your new server. If you have multiple servers, they are listed on this page.
  12. To test your server, click Manage > Test Connectivity. A success message appears if the server is working correctly.
  13. (Optional) Click Manage > Sync Playbooks to further test connectivity and make sure that your playbooks are synchronized. See Synchronize the list of available Splunk Phantom or Splunk SOAR playbooks on your Splunk platform.

Do not click Enable debug logging unless directed to do so by Splunk support. Debug logging causes a heavy load on your server.

Synchronize the list of available Splunk Phantom or Splunk SOAR playbooks on your Splunk platform

You can run adaptive response action in Splunk Enterprise Security (ES) to send a notable event to Splunk Phantom or Splunk SOAR and also run a playbook on the resulting artifact. Perform the following tasks to make sure that the list of available playbooks is up to date in your Splunk platform. The list of playbooks is maintained in the <SPLUNK_HOME>/etc/apps/phantom/local/phantom.conf file.

  1. Navigate to the Phantom App for Splunk installed on your Splunk platform.
  2. Click the Configurations tab.
  3. In the Actions column for the desired server, select Manage > Sync playbooks.

See Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR for more information about running adaptive response actions in Splunk ES.

Last modified on 08 September, 2021
Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise   Verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters