Related Answers
Download topic as PDF
Connect to a standalone Splunk instance
Follow the steps listed to connect your Splunk Phantom or Splunk SOAR instance or cluster to a standalone external Splunk instance or Splunk Cloud Platform deployment.
- Set up the HTTP Event Collector on the Splunk platform.
- Create the required user accounts on the Splunk instance for Splunk Phantom.
- Configure Splunk Phantom to use an external Splunk instance.
Set up the HTTP Event Collector on the standalone Splunk platform instance
Enable the HTTP Event Collector (HEC) on the Splunk platform and create a new token so you can use the HEC. Repeat these tasks on other indexers if those other indexers require separate HEC tokens. See Scale HTTP Event Collector with distributed deployments in the Splunk Enterprise Getting Data In manual for more information.
Follow the instructions for your Splunk Enterprise or Splunk Cloud Platform deployment:
| Deployment Type | Documentation |
|---|---|
| Splunk Enterprise | See Configure HTTP Event Collector on Splunk Enterprise for instructions. |
| Splunk Cloud Platform | Configure HTTP Event Collector on Splunk Cloud for instructions. |
| Splunk Cloud Platform free trial | Configure HTTP Event Collector on Splunk Cloud free trial for instructions. |
When you are creating the new token, add all the indexes listed below, including any custom indexes, and move them to the Selected item(s) list. Then, select the index you want to use as the default index, such as phantom_app. The following screenshot shows an example.
The following is a list of all the Splunk Phantom indexes available for the HTTP Event Collector:
- phantom_action_run
- phantom_app
- phantom_app_run
- phantom_artifact
- phantom_asset
- phantom_container
- phantom_container_attachment
- phantom_container_comment
- phantom_container_note
- phantom_custom_function
- phantom_decided_list
- phantom_note
- phantom_playbook
- phantom_workflow_note
On the HTTP Event Collector page, copy the token value for the new token. You will need this value when you configure Splunk Phantom. If you don't copy it now, you can return to the HTTP Event Collector page to obtain the value later when you need it.
Upgrading to Splunk Phantom Remote Search version 1.0.17
If you are upgrading to Splunk Phantom Remote Search version 1.0.17, you will need to add the phantom_custom_function index to the HTTP Event Collector.
Using custom prefixes
If you have multiple Splunk Phantom instances in your environment, you can append a custom prefix to the index created on the Splunk platform. Use the custom prefix to create separate indexes for each Splunk Phantom instance, which provides data separation and the ability to correlate each index with the appropriate Splunk Phantom instance. For more information, click on one or the following documentation links:
- If you are using Splunk Phantom 4.10.7 or lower, see the Define a custom index per Splunk Phantom instance section in the Configure search in Splunk Phantom page in the Administer Splunk Phantom manual.
- If you are using Splunk SOAR (On-premises), see Define a custom index per Splunk SOAR (On-premises) instance page in the Administer Splunk SOAR (On-premises) manual.
Restart Splunk if your Splunk Phantom indexes are not recognized
In some cases, Splunk Cloud Platform does not recognize Splunk Phantom indexes, in which case data such as the custom function data won't be indexed. You will see an error like the following example in your Splunk logs:
03-15-2021 19:10:07.802 +0000 WARN IndexAdminHandler [23800 TcpChannelThread] - idx=newsearch_phantom_custom_function Unable to reload indexer after adding: reason='already reloading or shutting down, will not reload'. Restart required.
Restart your Splunk Cloud Platform instance to resolve this issue.
Create the required user accounts on the standalone Splunk instance or Splunk Cloud Platform deployment for Splunk Phantom or Splunk SOAR
Splunk Phantom and Splunk SOAR require two user accounts with roles added by the Phantom Remote Search app. The roles are phantomsearch and phantomdelete. You can use any user names you like for these accounts. These instructions use phantomsearchuser and phantomdeleteuser as examples.
Create these accounts on a search head.
- In Splunk Web, select Settings > Access Controls.
- Create the user account with the
phantomsearchrole:- Click Users.
- Click New User.
- Type phantomsearchuser in the Name field.
- Set and confirm a password for this user which complies with your organization's security policies.
- Under Assigned role(s), in the Selected item(s) box, select user to remove that role.
- Under Assigned role(s), in the Available item(s) box, select phantomsearch to add that role.
- Deselect the Require password change on first login check box.
- Click Save.
- Create the user account with the
phantomdeleterole:- Click New User.
- Type phantomdeleteuser in the Name field.
- Set and confirm a password for this user which complies with your organization's security policies.
- Under Assigned role(s), in the Selected item(s) box, select user to remove that role.
- Under Assigned role(s), in the Available item(s) box, select phantomdelete to add that role.
- Deselect the Require password change on first login check box.
- Click Save.
Configure Splunk Phantom or Splunk SOAR to use an external Splunk instance or Splunk Cloud Platform deployment
After the Splunk Phantom Remote Search app is installed and the required user accounts are created, configure Splunk Phantom or Splunk SOAR to use the external Splunk instance or Splunk Cloud Platform deployment.
Verify that you have required information before adding the external Splunk instance or Splunk Cloud Platform Deployment
Before proceeding, verify that you have the following:
- The host name and the REST API port number of your Splunk instance or Splunk Cloud Platform deployment.
- The HTTP Event Collector token
- The user names and passwords for the user accounts with the
phantomsearch andphantomdelete roles.
Add the external Splunk instance
Perform the following tasks to add the external Splunk Enterprise instance or Splunk Cloud Platform deployment.
- Log in to Splunk Phantom or Splunk SOAR as an administrative user.
- From the main menu, select Administration.
- Select Administration Settings.
- Select Search Settings.
- In the Search Endpoint field, select the radio button for External Splunk Enterprise Instance.
- In the Enable Splunk Search Endpoint section, type the host name of your Splunk instance in the Host field.
- In the User with Search Privileges field, type the user name and password for the user account with the
phantomsearch role in the Username and Password fields. - In the User with Delete Privileges field, type the user name and password for the user account with the
phantomdeleterole in the Username and Password fields. - Type the port number that the Splunk Enterprise instance or Splunk Cloud Platform deployment uses to listen for REST API calls in the REST Port field.
- Select the Use SSL for REST checkbox to enable SSL for REST API calls.
- Select the Verify Certificate for REST checkbox to enable SSL certificate verification.
- Type the port number for the HTTP Event Collector on the Splunk instance in the HTTP Event Collector Port field.
- Select the Use SSL for HTTP Event Collector checkbox to enable SSL for the HTTP Event Collector.
- Select the Verify Certificate for HTTP Event Collector checkbox to enable SSL certificate verification.
- Paste the HTTP Event Collector token in the HTTP Event Collector Token field.
- Click Test Connection to verify the connection to your Splunk Enterprise instance or Splunk Cloud Platform deployment.
- Click Save Changes.
|
PREVIOUS Install and upgrade the Splunk Phantom Remote Search app |
NEXT Connect to a distributed Splunk platform deployment |
This documentation applies to the following versions of Splunk® Phantom Remote Search: 1.0.17
Feedback submitted, thanks!