Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.
Acrobat logo Download topic as PDF

Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR

You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk Phantom or Splunk SOAR. The notable events appear as artifacts in Splunk Phantom or Splunk SOAR. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.

Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk Phantom or Splunk SOAR:

  1. In Splunk Web, navigate to the Splunk Enterprise Security app.
  2. Click the Incident Review tab.
  3. From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
  4. Click the drop-down arrow in the Actions column for a notable event.
  5. Click Run Adaptive Response Actions.
  6. In the Adaptive Response Actions dialog, click Add New Response Actions.
  7. Select the desired response action:
    • Click Send to Phantom to send an artifact to Splunk Phantom or Splunk SOAR.
    • Click Run Playbook in Phantom to send an artifact to Splunk Phantom while running a playbook.
  8. In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
    Field Required? Description
    Phantom Instance Required
    • If you are running a Send to Phantom adaptive response action, select the Splunk Phantom instance you are connecting to.
    • If you are running a Run Playbook in Phantom adaptive response action, select the Splunk Phantom instance you are connecting to and playbook you want to run.
    Sensitivity Required Sensitivity level for the forwarded event.
    Severity Required Severity level for the forwarded event.
    Label Optional Label for the forwarded event. Your label must match a label that exists on the Splunk Phantom server or in Splunk SOAR, such as the default label events or any custom labels created by Splunk Phantom or Splunk SOAR users. See Troubleshoot the Splunk Phantom App for Splunk for an example search that you can use to verify that you successfully added your label.
    Worker Set Required The search head or heavy forwarder that will send the notable events from Splunk ES to Splunk Phantom or Splunk SOAR:
    Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.


    Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR.

  9. Click Run.

To view results for your Splunk Phantom or Splunk SOAR instance and playbook, you must run the sync playbooks command from the Splunk Phantom Server Configuration page in the Splunk Phantom App for Splunk. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR.

Last modified on 13 September, 2021
PREVIOUS
Create and export data models and saved searches to send to Splunk Phantom or SOAR Cloud
  NEXT
Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters