Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.

Verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR

Perform the following steps to verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR. In this example, we will send an event with the IP address 123.45.66.77 to a Splunk Phantom server named "Default Splunk Phantom":

  1. If you are not using Splunk Enterprise Security (ES), make sure you have installed the Splunk Common Information Model (CIM) app from Splunkbase.
  2. On your Splunk platform, go to the Search & Reporting app.
  3. Enter the following search:

    | makeresults | eval src_ip="123.45.66.77" | sendalert sendtophantom param.phantom_server="Default Splunk Phantom" param.sensitivity="amber" param.severity="low" param.label="events"

    The param.phantom_server value must exactly match the value in Name field of your Splunk Phantom server configuration.

  4. Log in to your Splunk Phantom or Splunk SOAR instance.
  5. From the Main Menu, select Sources and verify that there is an Ad hoc search result.
  6. Click on Ad hoc search result.
  7. Verify that the source IP, 123.45.66.77 in our example, exists as an artifact.

If you do not see the artifact, review the job log for any errors, and validate network connectivity over TCP port 443 from the Splunk search head to Splunk Phantom or Splunk SOAR.

Last modified on 06 April, 2022
Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR   Configure a Splunk asset in Splunk Phantom or Splunk SOAR to pull data from the Splunk platform

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters