Splunk® Phantom Remote Search

Splunk Phantom Remote Search

Acrobat logo Download manual as PDF


Splunk Phantom Remote Search has been replaced by Splunk App for SOAR.
Acrobat logo Download topic as PDF

Connect to a standalone Splunk instance

Follow the steps listed to connect your Splunk Phantom or Splunk SOAR instance or cluster to a standalone external Splunk instance or Splunk Cloud Platform deployment.

  1. Set up the HTTP Event Collector on the Splunk platform.
  2. Create the required user accounts on the Splunk instance for Splunk Phantom.
  3. Configure Splunk Phantom to use an external Splunk instance.

Set up the HTTP Event Collector on the standalone Splunk platform instance

Enable the HTTP Event Collector (HEC) on the Splunk platform and create a new token so you can use the HEC. Repeat these tasks on other indexers if those other indexers require separate HEC tokens. See Scale HTTP Event Collector with distributed deployments in the Splunk Enterprise Getting Data In manual for more information.

Follow the instructions for your Splunk Enterprise or Splunk Cloud Platform deployment:

Deployment Type Documentation
Splunk Enterprise See Configure HTTP Event Collector on Splunk Enterprise for instructions.
Splunk Cloud Platform Configure HTTP Event Collector on Splunk Cloud for instructions.
Splunk Cloud Platform free trial Configure HTTP Event Collector on Splunk Cloud free trial for instructions.

When you are creating the new token, add all the indexes listed below, including any custom indexes, and move them to the Selected item(s) list. Then, select the index you want to use as the default index, such as phantom_app. The following screenshot shows an example.

This screenshot shows the Input Settings page when adding a new token for a data input on the Splunk platform. The Index field is highlighted, showing a series of index names starting with "phantom_" that are moved from the Available items column to the Selected items column.

The following is a list of all the Splunk Phantom indexes available for the HTTP Event Collector:

  • phantom_action_run
  • phantom_app
  • phantom_app_run
  • phantom_artifact
  • phantom_asset
  • phantom_container
  • phantom_container_attachment
  • phantom_container_comment
  • phantom_container_note
  • phantom_custom_function
  • phantom_decided_list
  • phantom_note
  • phantom_playbook
  • phantom_workflow_note

On the HTTP Event Collector page, copy the token value for the new token. You will need this value when you configure Splunk Phantom. If you don't copy it now, you can return to the HTTP Event Collector page to obtain the value later when you need it.

Upgrading to Splunk Phantom Remote Search version 1.0.17

If you are upgrading to Splunk Phantom Remote Search version 1.0.17, you will need to add the phantom_custom_function index to the HTTP Event Collector.

Using custom prefixes

If you have multiple Splunk Phantom instances in your environment, you can append a custom prefix to the index created on the Splunk platform. Use the custom prefix to create separate indexes for each Splunk Phantom instance, which provides data separation and the ability to correlate each index with the appropriate Splunk Phantom instance. For more information, click on one or the following documentation links:

Restart Splunk if your Splunk Phantom indexes are not recognized

In some cases, Splunk Cloud Platform does not recognize Splunk Phantom indexes, in which case data such as the custom function data won't be indexed. You will see an error like the following example in your Splunk logs:

03-15-2021 19:10:07.802 +0000 WARN  IndexAdminHandler [23800 TcpChannelThread] - idx=newsearch_phantom_custom_function Unable to reload indexer after adding: reason='already reloading or shutting down, will not reload'. Restart required.

Restart your Splunk Cloud Platform instance to resolve this issue.

Create the required user accounts on the standalone Splunk instance or Splunk Cloud Platform deployment for Splunk Phantom or Splunk SOAR

Splunk Phantom and Splunk SOAR require two user accounts with roles added by the Phantom Remote Search app. The roles are ​phantomsearch​ and ​phantomdelete​. You can use any user names you like for these accounts. These instructions use ​phantomsearchuser​ and ​phantomdeleteuser as examples​.

Create these accounts on a search head.

  1. In Splunk Web, select ​Settings​ > ​Access Controls.
  2. Create the user account with the phantomsearch role:
    1. Click Users.
    2. Click ​New User​.
    3. Type ​phantomsearchuser​ in the ​Name field​.
    4. Set and confirm a password for this user which complies with your organization's security policies.
    5. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, select ​user​ to remove that role.
    6. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomsearch​ to add that role.
    7. Deselect the ​Require password change on first login​ check box.
    8. Click Save.
  3. Create the user account with the phantomdelete role:
    1. Click New User.
    2. Type ​phantomdeleteuser​ in the ​Name field​.
    3. Set and confirm a password for this user which complies with your organization's security policies.
    4. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, select ​user​ to remove that role.
    5. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomdelete​ to add that role.
    6. Deselect the ​Require password change on first login​ check box.
    7. Click Save.

Configure Splunk Phantom or Splunk SOAR to use an external Splunk instance or Splunk Cloud Platform deployment

After the Splunk Phantom Remote Search app is installed and the required user accounts are created, configure Splunk Phantom or Splunk SOAR to use the external Splunk instance or Splunk Cloud Platform deployment.

Verify that you have required information before adding the external Splunk instance or Splunk Cloud Platform Deployment

Before proceeding, verify that you have the following:

  • The host name and the REST API port number of your Splunk instance or Splunk Cloud Platform deployment.
  • The HTTP Event Collector token
  • The user names and passwords for the user accounts with the ​phantomsearch​ and ​phantomdelete​ roles.

Add the external Splunk instance

Perform the following tasks to add the external Splunk Enterprise instance or Splunk Cloud Platform deployment.

  1. Log in to Splunk Phantom or Splunk SOAR as an administrative user.
  2. From the ​main menu​, select ​Administration​.
  3. Select Administration Settings​.
  4. Select Search Settings​.
  5. In the Search Endpoint field​, select the radio button for External Splunk Enterprise Instance​.
    1. In the Enable Splunk Search Endpoint section, type the host name of your Splunk instance in the ​Host​ field.
    2. In the User with Search Privileges field, type the user name and password for the user account with the ​phantomsearch​ role in the ​Username​ and ​Password​ fields.
    3. In the User with Delete Privileges field, type the user name and password for the user account with the ​phantomdelete role in the ​Username​ and ​Password​ fields.
    4. Type the port number that the Splunk Enterprise instance or Splunk Cloud Platform deployment uses to listen for REST API calls in the REST Port​ field.
    5. Select the ​Use SSL for REST​ checkbox to enable SSL for REST API calls.
    6. Select the Verify Certificate for REST checkbox to enable SSL certificate verification.
    7. Type the port number for the HTTP Event Collector on the Splunk instance in the ​HTTP Event Collector Port​ field.
    8. Select the ​Use SSL for HTTP Event Collector​ checkbox to enable SSL for the HTTP Event Collector.
    9. Select the Verify Certificate for HTTP Event Collector checkbox to enable SSL certificate verification.
    10. Paste the HTTP Event Collector token in the ​HTTP Event Collector Token​ field.
    11. Click Test Connection to verify the connection to your Splunk Enterprise instance or Splunk Cloud Platform deployment.
  6. Click ​Save Changes.
Last modified on 14 December, 2021
PREVIOUS
Install and upgrade the Splunk Phantom Remote Search app
  NEXT
Connect to a distributed Splunk platform deployment

This documentation applies to the following versions of Splunk® Phantom Remote Search: 1.0.17


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters