Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.

About the Splunk Phantom App for Splunk

Splunk Phantom and Splunk SOAR can use the Splunk platform as a source of data by ingesting events. The Splunk Phantom App for Splunk is required to configure Splunk Enterprise or Splunk Cloud Platform as a data source for getting data into Splunk Phantom or Splunk SOAR.

What does the Splunk Phantom App for Splunk do?

The following image shows an example of how a standalone Splunk Phantom instance is integrated with a Splunk platform environment.

This diagram shows how the Splunk Phantom App for Splunk translates CIM data from the Splunk platform to CEF data for Splunk Phantom. Splunk Cloud Platform and Splunk Enterprise are shown on the left. Arrows from both Splunk Cloud Platform and Splunk Enterprise point to a box labeled Splunk Alerts, which contains Saved Search, Data Model, and Splunk ES Notable. The Splunk Phantom App for Splunk perform mapping to CEF fields for Saved Search and Data Model, and CIM to CEF translation for Splunk ES Notables. Finally, CEF events are sent from the Splunk platform to Splunk Phantom or Splunk SOAR.

The Splunk Phantom App for Splunk is installed as an app on the Splunk platform and forwards events to Splunk Phantom or Splunk SOAR. The Splunk platform environment consists of raw events or Common Information Model (CIM) data, while Splunk Phantom and Splunk SOAR use the Common Event Format (CEF). The Splunk Phantom App for Splunk acts as a translation service between the Splunk platform and Splunk Phantom or Splunk SOAR by performing the following tasks:

  • Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF fields.
  • Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.
  • Forwarding events in CEF format to Splunk Phantom or Splunk SOAR, which are stored as artifacts.

How Splunk Phantom integrates with the Splunk platform

The following image shows how Splunk Phantom is integrated into a Splunk environment.

From left to right, a REST data icon is connected to App APIs, which is connected to the Internet and Firewall using TCP ports 80 and 443, which is then connected to a standalone Splunk Phantom instance. Also connected to the Splunk Phantom instance as REST data over TCP port 443 or custom ports, and analysts and admins over TCP ports 22 and 443. The Splunk Phantom instance is connected to an external Splunk instance with the Splunk Phantom App for Splunk installed. Specifically, the Splunk Phantom instance connects to the forwarders on the external Splunk instance over TCP ports 9996 and 9997, and to the search head over TCP ports 8089 and 443.

Before you install the Splunk Phantom App for Splunk, make sure you review the requirements.

Last modified on 02 February, 2022
Welcome to the Splunk Phantom App for Splunk release 4.1.73   What you need to install the Splunk Phantom App for Splunk on Splunk Enterprise

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters