Run adaptive response actions in Splunk ES to send notable events to Splunk Phantom or Splunk SOAR
You can run adaptive response actions in Splunk Enterprise Security (ES) to send notable events to Splunk Phantom or Splunk SOAR. The notable events appear as artifacts in Splunk Phantom or Splunk SOAR. See Set up Adaptive Response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for more information about setting up and running adaptive response actions.
Perform the following steps to set up adaptive response actions in Splunk ES and integrate the notable events with Splunk Phantom or Splunk SOAR:
- In Splunk Web, navigate to the Splunk Enterprise Security app.
- Click the Incident Review tab.
- From the time range picker, select the time period you want to view data for, and click Submit. Notable events from your selected time range appear in a table.
- Click the drop-down arrow in the Actions column for a notable event.
- Click Run Adaptive Response Actions.
- In the Adaptive Response Actions dialog, click Add New Response Actions.
- Select the desired response action:
- Click Send to Phantom to send an artifact to Splunk Phantom or Splunk SOAR.
- Click Run Playbook in Phantom to send an artifact to Splunk Phantom while running a playbook.
- In the menu that appears, complete the adaptive response action configuration. The fields are described in the following table:
Field Required? Description Phantom Instance Required - If you are running a Send to Phantom adaptive response action, select the Splunk Phantom instance you are connecting to.
- If you are running a Run Playbook in Phantom adaptive response action, select the Splunk Phantom instance you are connecting to and playbook you want to run.
Sensitivity Required Sensitivity level for the forwarded event. Severity Required Severity level for the forwarded event. Label Optional Label for the forwarded event. Your label must match a label that exists on the Splunk Phantom server or in Splunk SOAR, such as the default label events or any custom labels created by Splunk Phantom or Splunk SOAR users. See Troubleshoot the Splunk Phantom App for Splunk for an example search that you can use to verify that you successfully added your label. Worker Set Required The search head or heavy forwarder that will send the notable events from Splunk ES to Splunk Phantom or Splunk SOAR: - Select local to use the current search head to send notable events or run playbooks on Splunk Phantom or Splunk SOAR without using adaptive response relay.
- Select the heavy forwarder you want to send notable events or run playbooks on Splunk Phantom or Splunk SOAR when using adaptive response relay. See Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR.
Alert Action Account Required for adaptive response relay An existing account name configured on the Alert Action Configuration page. See Set up adaptive response relay on your Splunk instances.
Leave this field blank if you are not using adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR. - Click Run.
To view results for your Splunk Phantom or Splunk SOAR instance and playbook, you must run the sync playbooks command from the Splunk Phantom Server Configuration page in the Splunk Phantom App for Splunk. See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR.
Create and export data models and saved searches to send to Splunk Phantom or SOAR Cloud | Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73
Feedback submitted, thanks!