About the Splunk Phantom Remote Search app
Splunk Phantom and Splunk SOAR can use an external Splunk Enterprise or Splunk Cloud Platform instance as the main search engine to search for Splunk Phantom or Splunk SOAR data. To do this, install the Splunk Phantom Remote Search app on your Splunk instance to connect your Splunk instance to your Splunk Phantom or Splunk SOAR instance.
You can use the Splunk Phantom Remote Search app to connect Splunk Phantom or Splunk SOAR to the Splunk platform in the following ways:
- Connect Splunk Phantom or Splunk SOAR to a standalone Splunk platform instance. See Connect to a single Splunk platform instance for instructions.
- Connect Splunk Phantom or Splunk SOAR to a distributed Splunk platform deployment containing one or more search heads, one or more indexers, with or without a search head cluster or indexer cluster. See Connect to a distributed Splunk platform deployment for instructions.
New features and enhancements in this release
This release of the Splunk Phantom Remote Search app includes the following enhancements and updates:
- You can add Splunk Phantom or Splunk SOAR indexes to the Splunk platform by defining a custom prefix for the index. Each Splunk Phantom or Splunk SOAR instance can have its own custom prefix. See Define a custom index per Splunk Phantom instance in Administer Splunk Phantom.
- The
phantom_custom_functionindex is added to enable custom functions to be searchable. See Add custom code to your Splunk Phantom playbook with the custom function block in Build Playbooks with the Visual Editor for more information about custom functions.
Obtain a Splunk Enterprise license to use the Splunk Phantom Remote Search app
You need a Splunk Enterprise license to use external Splunk Enterprise with Splunk Phantom or Splunk SOAR. If you don't already have a Splunk Enterprise license, work with your delivery team to purchase one.
Version compatibility with Splunk Phantom/Splunk SOAR
The Splunk Phantom Remote Search App is compatible with specific Splunk Phantom/Splunk SOAR and Splunk platform combinations.
Splunk Cloud Platform
Verify you have one of the following Splunk Phantom/Splunk SOAR and Splunk Cloud Platform version combinations:
| Splunk Phantom Remote Search App | Splunk Cloud Platform | Splunk Phantom/Splunk SOAR Cloud/On-premises |
|---|---|---|
| 1.0.17 | 9.0.2303 | Splunk SOAR 6.0.0 |
| 9.0.2209 | Splunk SOAR 5.3.4, 5.3.5, 5.4.0, 5.5.0 | |
| 9.0.2208 | Splunk SOAR 5.3.4, 5.3.5 | |
| 9.0.2205 | Splunk SOAR 5.3.2, 5.3.3 | |
| 8.2.2203 | Splunk SOAR 5.3.1 | |
| 8.2.2202 | Splunk SOAR 5.3.0 | |
| 8.2.2201 with Enterprise Security 7.0.0 |
Splunk SOAR 5.2.0 | |
| 8.2.2112 | Splunk SOAR 5.1.1 | |
| 8.2.2111 | Splunk SOAR (On-premises) 5.1.0 or higher | |
| 8.2.2109 | Splunk SOAR (On-premises) 5.0.1 or higher | |
| 8.2.2107 | Splunk SOAR (On-premises) 5.0.1 or higher | |
| 8.2.2106 | 4.10.5.58640 or higher | |
| 8.2.2105 | 4.10.4.55789 or higher | |
| 8.1.2103 | 4.10.1.47064 or higher | |
| 8.0.6, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101 | 4.10.x | |
| 1.0.14 | 8.0.6, 8.0.x later than 8.0.6 | 4.8.x, 4.9.x |
| 7.3.x | 4.8.x, 4.9.x | |
| 7.2.x | 4.8.x, 4.9.x | |
| 1.0.12 | 7.2.x, 7.3.x | 4.8.x, 4.9.x |
Splunk Enterprise
Verify you have one of the following Splunk Phantom/Splunk SOAR and Splunk Enterprise combinations:
| Splunk Phantom Remote Search App | Splunk Enterprise | Splunk Phantom/Splunk SOAR |
|---|---|---|
| 1.0.17 | ||
| 9.0.3 | Splunk SOAR 6.0.0 | |
| 9.0.1 | Splunk SOAR 5.3.5, 5.4.0, 5.5.0 | |
| 9.0.0 | Splunk SOAR 5.3.1, 5.3.3, 5.3.4, 5.3.5 | |
| 8.2.0 | Splunk SOAR 5.3.0, Phantom (On-premises) 4.10.4, Phantom SaaS 4.12.0 | |
| 8.1.0, 8.0.6, 7.3.0 | Phantom (On-premises) 4.10.0 | |
| 7.2.x, 7.3.0 | 4.6.x-4.9.x | |
| 1.0.14 | 8.0.6–8.0.x | 4.8.x, 4.9.x |
| 7.3, 7.3.x | 4.8.x, 4.9.x | |
| 7.2, 7.2.x | 4.8.x, 4.9.x | |
| 1.0.12 | 7.3.0 | 4.6.x–4.9.x |
| 7.2, 7.2.x | 4.6.x–4.9.x |
| Install and upgrade the Splunk Phantom Remote Search app |
This documentation applies to the following versions of Splunk® Phantom Remote Search: 1.0.17
Download manual
Feedback submitted, thanks!