Verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR
Perform the following steps to verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR. In this example, we will send an event with the IP address 123.45.66.77 to a Splunk Phantom server named "Default Splunk Phantom":
- If you are not using Splunk Enterprise Security (ES), make sure you have installed the Splunk Common Information Model (CIM) app from Splunkbase.
- On your Splunk platform, go to the Search & Reporting app.
- Enter the following search:
| makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events"The param.phantom_server value must exactly match the value in Name field of your Splunk Phantom server configuration.
- Log in to your Splunk Phantom or Splunk SOAR instance.
- From the Main Menu, select Sources and verify that there is an Ad hoc search result.
- Click on Ad hoc search result.
- Verify that the source IP, 123.45.66.77 in our example, exists as an artifact.
If you do not see the artifact, review the job log for any errors, and validate network connectivity over TCP port 443 from the Splunk search head to Splunk Phantom or Splunk SOAR.
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73
Download manual
Feedback submitted, thanks!