Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.
Acrobat logo Download topic as PDF

What you need to install the Splunk Phantom App for Splunk on Splunk Cloud Platform

Verify that your environment is ready to use the Splunk Phantom App for Splunk to integrate Splunk Phantom or Splunk SOAR with your Splunk deployment.

Work with your support team to meet Splunk Cloud Platform requirements

Work with your support team to make sure your Splunk Cloud Platform environment is ready to install the Splunk Phantom App for Splunk:

Before you begin the installation process, submit a support request to the Splunk Cloud Platform team to make sure the administrative user has the correct privileges. After you have the correct privileges, open access from Splunk Cloud Platform to port 8089 using the Admin Config Service (ACS) API.

  1. The Splunk Phantom App for Splunk requires that a user with administrative privileges installs both the Splunk Phantom App for Splunk and Splunk software. In situations where events can't be sent from Splunk Cloud Platform to Splunk Phantom or Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. The Splunk Phantom App for Splunk requires the admin user to run the phantom_retry.py script every 60 seconds to try to send any events that could not be sent earlier. If the user invoking the phantom_retry.py script is not the admin user, submit a support request to to the Splunk Cloud Platform team to modify the local/inputs.conf file to contain:
    [script://$SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_retry.py]
    passAuth = <username>
    
    Also make sure the local/inputs.conf file does not change ownership or permission.
  2. Your Splunk Phantom or Splunk SOAR instance must be running in the DMZ or perimeter network with the appropriate firewalls or reverse proxies to support internal connectivity.
  3. Splunk Phantom requires a publicly valid certificate chain. The cacerts.pem file must be configured into a single PEM certificate file with the server, intermediate, and root certificates.

Splunk product compatibility requirements

The Splunk Phantom App for Splunk requires specific Splunk software combinations. For example, Splunk ES versions 6.5.1, 6.5.x means that Splunk ES version 6.5.1 or any 6.5.x release later than 6.5.1 is required.

Verify that you are using the following product version combinations if you installing the Splunk Phantom App for Splunk on Splunk Cloud Platform:

Splunk Phantom App for Splunk Version Splunk Cloud Platform Version Splunk ES Version Splunk Phantom Version Splunk SOAR Version
4.1.73
(CIM version 4.18.0)
8.2.2107 6.6.1, 6.6.x 5.0.1.64780, 5.0.x 5.0.0.63789, 5.0.x
8.2.2106 6.6.1, 6.6.x 5.0.1.64780, 5.0.x 5.0.0.63789, 5.0.x
8.2.2105 6.6.1, 6.6.x 5.0.1.64780, 5.0.x 5.0.0.63789, 5.0.x
4.1.3
(CIM version 4.18.0)
8.2.2106 6.6.0. 6.6.x 4.10.5.58640, 4.10.x 4.12.2.58336, 4.12.x
8.2.2105 6.5.1, 6.5.x 4.10.5.586400, 4.10.x 4.12.0.56071, 4.12.x
8.2.2104.1 6.5.1, 6.5.x 4.10.4, 4.10.x 4.12.0.56045, 4.12.x
8.1.2103 6.5.1, 6.5.x 4.10.4, 4.10.x 4.12.0.56045, 4.12.x
4.0.35
(CIM version 4.18.0)
8.2.2104 6.5.1, 6.5.x 4.10.3.51283, 4.10.x N/A
8.1.2103 6.5.x 4.10.3.51283, 4.10.x N/A
8.1.2101 6.2.x 4.10.1.45070, 4.10.x N/A
8.1.2101 6.4.1, 6.4.x 4.10.0.40025, 4.10.x N/A
8.1.2012 6.2.0, 6.2.x 4.10.0.40961, 4.10.x N/A
8.1.2012 6.4.1, 6.4.x 4.10.0.40025, 4.10.x N/A
8.1.2011 6.2.0, 6.2.x 4.10.0.40961, 4.10.x N/A
8.1.2011 6.4.1, 6.4.x 4.10.0.40025, 4.10.x N/A
8.1.2009 6.2.0, 6.2.x 4.10.0.40961, 4.10.x N/A
8.0 6.1.1, 6.1.x 4.10.0.40961, 4.10.x N/A
7.3 5.3.1, 5.3.2 4.10.0.40961, 4.10.x N/A
4.0.10
(CIM version 4.18.0)
8.0.3 6.1.1, 6.1.x, 6.2.0, 6.2.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A
7.3.5 5.3.1, 5.3.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A
7.2.10.2 5.3.1, 5.3.x 4.8.24304, 4.8.x, 4.9.39220, 4.9.x N/A

Required apps

Make sure you have the following apps installed on your Splunk Cloud Platform:

App Description
Splunk Phantom App for Splunk (this app) Download the Splunk Phantom App for Splunk from Splunkbase. This app is required to map event fields to CEF format, then forward those events to Splunk Phantom.
Common Information Model Download the Splunk Common Information Model (CIM) from Splunkbase. If you have Splunk Enterprise Security (ES) installed, you don't need to download this library as it is already included with Splunk ES.


This app is required for the automated mapping models in adaptive response actions on Splunk Cloud Platform to work correctly.

Last modified on 12 May, 2022
PREVIOUS
Upgrade the Splunk Phantom App for Splunk on Splunk Enterprise
  NEXT
Install the Splunk Phantom App for Splunk on Splunk Cloud Platform

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters