What you need to install the Splunk Phantom App for Splunk on Splunk Cloud Platform
Verify that your environment is ready to use the Splunk Phantom App for Splunk to integrate Splunk Phantom or Splunk SOAR with your Splunk deployment.
Work with your support team to meet Splunk Cloud Platform requirements
Work with your support team to make sure your Splunk Cloud Platform environment is ready to install the Splunk Phantom App for Splunk:
Before you begin the installation process, submit a support request to the Splunk Cloud Platform team to make sure the administrative user has the correct privileges. After you have the correct privileges, open access from Splunk Cloud Platform to port 8089 using the Admin Config Service (ACS) API.
- The Splunk Phantom App for Splunk requires that a user with administrative privileges installs both the Splunk Phantom App for Splunk and Splunk software. In situations where events can't be sent from Splunk Cloud Platform to Splunk Phantom or Splunk SOAR using alert actions, adaptive response actions, or event forwarding, the events are stored in the phantom_retry KV Store collection. The Splunk Phantom App for Splunk requires the admin user to run the
phantom_retry.py
script every 60 seconds to try to send any events that could not be sent earlier. If the user invoking thephantom_retry.py
script is not the admin user, submit a support request to to the Splunk Cloud Platform team to modify thelocal/inputs.conf
file to contain:[script://$SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_retry.py] passAuth = <username>
Also make sure thelocal/inputs.conf
file does not change ownership or permission. - Your Splunk Phantom or Splunk SOAR instance must be running in the DMZ or perimeter network with the appropriate firewalls or reverse proxies to support internal connectivity.
- Splunk Phantom requires a publicly valid certificate chain. The cacerts.pem file must be configured into a single PEM certificate file with the server, intermediate, and root certificates.
Splunk product compatibility requirements
The Splunk Phantom App for Splunk requires specific Splunk software combinations. For example, Splunk ES versions 6.5.1, 6.5.x means that Splunk ES version 6.5.1 or any 6.5.x release later than 6.5.1 is required.
Verify that you are using the following product version combinations if you installing the Splunk Phantom App for Splunk on Splunk Cloud Platform:
Splunk Phantom App for Splunk Version | Splunk Cloud Platform Version | Splunk ES Version | Splunk Phantom Version | Splunk SOAR Version |
---|---|---|---|---|
4.1.73 (CIM version 4.18.0) |
8.2.2107 | 6.6.1, 6.6.x | 5.0.1.64780, 5.0.x | 5.0.0.63789, 5.0.x |
8.2.2106 | 6.6.1, 6.6.x | 5.0.1.64780, 5.0.x | 5.0.0.63789, 5.0.x | |
8.2.2105 | 6.6.1, 6.6.x | 5.0.1.64780, 5.0.x | 5.0.0.63789, 5.0.x | |
4.1.3 (CIM version 4.18.0) |
8.2.2106 | 6.6.0. 6.6.x | 4.10.5.58640, 4.10.x | 4.12.2.58336, 4.12.x |
8.2.2105 | 6.5.1, 6.5.x | 4.10.5.586400, 4.10.x | 4.12.0.56071, 4.12.x | |
8.2.2104.1 | 6.5.1, 6.5.x | 4.10.4, 4.10.x | 4.12.0.56045, 4.12.x | |
8.1.2103 | 6.5.1, 6.5.x | 4.10.4, 4.10.x | 4.12.0.56045, 4.12.x | |
4.0.35 (CIM version 4.18.0) |
8.2.2104 | 6.5.1, 6.5.x | 4.10.3.51283, 4.10.x | N/A |
8.1.2103 | 6.5.x | 4.10.3.51283, 4.10.x | N/A | |
8.1.2101 | 6.2.x | 4.10.1.45070, 4.10.x | N/A | |
8.1.2101 | 6.4.1, 6.4.x | 4.10.0.40025, 4.10.x | N/A | |
8.1.2012 | 6.2.0, 6.2.x | 4.10.0.40961, 4.10.x | N/A | |
8.1.2012 | 6.4.1, 6.4.x | 4.10.0.40025, 4.10.x | N/A | |
8.1.2011 | 6.2.0, 6.2.x | 4.10.0.40961, 4.10.x | N/A | |
8.1.2011 | 6.4.1, 6.4.x | 4.10.0.40025, 4.10.x | N/A | |
8.1.2009 | 6.2.0, 6.2.x | 4.10.0.40961, 4.10.x | N/A | |
8.0 | 6.1.1, 6.1.x | 4.10.0.40961, 4.10.x | N/A | |
7.3 | 5.3.1, 5.3.2 | 4.10.0.40961, 4.10.x | N/A | |
4.0.10 (CIM version 4.18.0) |
8.0.3 | 6.1.1, 6.1.x, 6.2.0, 6.2.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A |
7.3.5 | 5.3.1, 5.3.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A | |
7.2.10.2 | 5.3.1, 5.3.x | 4.8.24304, 4.8.x, 4.9.39220, 4.9.x | N/A |
Required apps
Make sure you have the following apps installed on your Splunk Cloud Platform:
App | Description |
---|---|
Splunk Phantom App for Splunk (this app) | Download the Splunk Phantom App for Splunk from Splunkbase. This app is required to map event fields to CEF format, then forward those events to Splunk Phantom. |
Common Information Model | Download the Splunk Common Information Model (CIM) from Splunkbase. If you have Splunk Enterprise Security (ES) installed, you don't need to download this library as it is already included with Splunk ES.
|
Upgrade the Splunk Phantom App for Splunk on Splunk Enterprise | Install the Splunk Phantom App for Splunk on Splunk Cloud Platform |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73
Feedback submitted, thanks!