Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.
Acrobat logo Download topic as PDF

Welcome to the Splunk Phantom App for Splunk release 4.1.73

This release of the Splunk Phantom App for Splunk includes the following enhancements:

Product Area Enhancement and Description
Python 3 compatibility This release of the Splunk Phantom App for Splunk requires Python 3. Check the install stanza in the $SPLUNK_HOME/etc/shclusterapps/phantom/default/app.conf file on the search head cluster and verify that python.version is set to python3. If there is no setting, or if the setting is python2, perform the following steps:
  1. Edit the $SPLUNK_HOME/etc/apps/phantom/local/app.conf file on your standalone instance or $SPLUNK_HOME/etc/shclusterapps/phantom/default/app.conf file on your search head cluster deployer.
  2. In the install stanza, set the python.version as follows: 
    python.version = python3

The Python version from the $SPLUNK_HOME/etc/shcluster/apps/phantom/local/app.conf file is used to overwrite the value in the $SPLUNK_HOME/etc/apps/phantom/default/app.conf file.

Performance
  • Performance improvements for container and artifact creation in Splunk Phantom and Splunk SOAR. As part of the performance improvements, event forwarding configurations are saved as search alerts instead of reports.
  • Performance improvements for the workbooks tab.
Event forwarding
  • Custom advanced time parameters Earliest Time and Latest Time are added to the saved search event forwarding configuration. See Create a saved search export to send data to Splunk Phantom.
  • The following saved search fields are changed between release 4.1.3 and this release:
    • The alert.digest_mode was 0 in release 4.1.3. In this release, it is 1.
    • Added alert_comparator = greater than
    • Added alert_threshold = 0
    • For scheduled searches, added alert_type = number of events
  • Alert actions and adaptive response actions now use the cim_modactions index instead of phantom_modalert index

    Before you upgrade to this version of the Splunk Phantom App for Splunk, make sure you save all your data in the phantom_modalert index. The phantom_modalert index is deleted when you upgrade to this release.

Workbook management Select multiple workbooks to delete, purge, or restore, and also filter the workbooks that appear in the Workbooks table. See Determine which workbooks are synchronized by deleting, restoring, or purging workbooks.
App infrastructure changes
  • Added app.manifest to the app folder. See Splunk Packaging Toolkit app.manifest schema definition for more information about the JSON schemas used by the app.manifest file in the Splunk Packaging Toolkit.
  • Upgraded urllib3 to version 1.26.6 and requests library to 2.25.1.

    The upgrade to urllib3 breaks existiing HTTPS proxy configurations that do not handle HTTPS traffic. To work around this issue, you must reconfigure those proxies using HTTP instead of HTTPS.

Fixed issues in this release

This version of the Splunk Phantom App for Splunk was released on September 16, 2021 and fixes the following issues.

Date resolved Issue number Description
2021-08-13 PAPP-16917 400 Error When Deleting Very Large Data in Workbooks
2021-08-13 PAPP-17218 Missing backup copy for a duplicate workbook

Known issues in this release

This version of the Splunk Phantom App for Splunk was released on September 16, 2021 and has the following known issues.

Date filed Issue number Description
2021-12-22 PAPP-23255 Misleading 403 Forbidden error when syncing workbooks with Splunk cloud.

Workaround:
In the 4.1.73 release of the Phantom App for Splunk, there is an incorrect error message when workbooks are synced. The sync completes successfully, but the error message states that the sync failed.

The error message says: 

There was an error syncing workbooks from Phantom.

Status: 403 
Text: Forbidden
On Splunk: You (user=admin) do not have permission to perform this operation (requires capability: $phantom_read$).

You may safely ignore this error message.

2021-12-01 PAPP-22054 Upon successful phantom_retry, some artifacts end up in same container but should be unique.

Workaround:
NA
2021-11-26 PAPP-21689 Send to SOAR sometime throws "IndexError: list index out of range".
2021-10-14 PAPP-20821 Event forwarding configurations were not being updated to either enabled or disabled.
2021-10-13 PAPP-20810 Events in KV Store phantom_retry only sent if container label is valid.
2021-08-09 PAPP-19122 The SplunkD path is not set correctly in some cases.
Last modified on 24 August, 2022
  NEXT
About the Splunk Phantom App for Splunk

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters