Integrating Splunk Phantom with Splunk Enterprise
By: Joe Wohar | Splunk Consultant
There are multiple apps that can be used to integrate Phantom with Splunk, each exists for a different reason. Some of the functionality overlaps. The intent of this post is to provide a guide to knowing which one to leverage based upon what environment you are working in and what use cases are driving your requirement.
|Splunk App for Phantom||Phantom||Pull event data from Splunk, push event data to Splunk, add Splunk actions to Phantom playbooks.|
|Phantom App for Splunk||Splunk||Push event data to Phantom|
|Phantom Remote Search||Splunk||Push Phantom data to Splunk|
|Splunk App for Phantom Reporting||Splunk||Report on Phantom data|
|Splunk Add-on for Phantom||Splunk||Used for monitoring Phantom as a service in Splunk ITSI|
Splunk App for Phantom
The Splunk App for Phantom is a Phantom app used to connect Phantom to Splunk. Phantom apps that are built by Splunk are installed in Phantom by default, so no installation is required, however, you’ll need to configure an asset for it. In the asset settings, you’ll need the IP/hostname of your Splunk instance as well as a Splunk user with sufficient access to the data you wish to search. The Splunk App for Phantom can do the following: post data to Splunk as events, update notable events, run SPL queries, and pull events from Splunk to Phantom.
- To pull events from Splunk to Phantom, you’ll need to configure the asset settings and ingest settings in your configured asset. It is recommended that you create a new label in Phantom for the events you pull in from Splunk, which will make it easier to find the events in the Analyst Queue in Phantom.
- There are four included actions which can be used in playbooks:
- get host events – retrieves events about a specific host from Splunk
- post data – creates an event in your Splunk instance
- run query – runs an SPL query in Splunk and returns the results of the search to Phantom
- update event – updates specified notable events within your Splunk Enterprise Security instance
For specific details on using these actions, search for “splunk” on the Apps page in Phantom and click the Documentation link:
Phantom App for Splunk https://splunkbase.splunk.com/app/3411/
The Phantom App for Splunk is a Splunkbase app that is installed in Splunk and connects Splunk to Phantom. The main function of this app is to send data from Splunk to Phantom. First, you’ll need to go through the Phantom Server Configuration page to connect Splunk to Phantom, which will require an automation user in Phantom. Then, to send events to Phantom, you’ll need to create a saved search in Splunk where the results of the search are the events you want ingested into Phantom. Open the Phantom App for Splunk and create a New Saved Search Export to start sending events over. There is also an option to create a Data Model Export, which follows the same set of steps used for exporting saved search results to Phantom:
This app also contains alert actions that can be used in Splunk Enterprise Security:
- Send to Phantom – sends the event(s) that triggered the alert to Phantom
- Run Playbook in Phantom – sends the event(s) that triggered the alert to Phantom and runs the specified playbook on them
For more information about the Phantom App for Splunk, review the following documents:
Phantom Remote Search https://splunkbase.splunk.com/app/4153/
The Phantom Remote Search app is used for multiple reasons. Phantom has an embedded Splunk Enterprise instance built into it, however, you can configure Phantom to use an external Splunk Enterprise instance instead via this app. To do this, you’ll need to install the Phantom Remote Search app onto your Splunk instance, which contains Splunk roles needed for creating two Splunk users required by Phantom. You’ll also need to setup an HTTP Event Collector (HEC) input for receiving Phantom data. After installing the app, creating the necessary users, and creating the HEC input, you can go over to Phantom and change the “Search Settings” in the “Administration Settings”:
Click the following link for a more detailed list of instructions:
This app is also very useful because once you have completed the setup, Phantom will start sending data about itself over to Splunk. This allows you to shift your Phantom reporting out of Phantom and into Splunk. If your Phantom instance is brand new with no events and no active playbooks, configure an asset or create a playbook to test whether or not Phantom data is being sent to Splunk.
Splunk App for Phantom Reporting https://splunkbase.splunk.com/app/4399/
If you have already installed the Phantom Remote Search app onto your Splunk instance and configured your Search Settings in Phantom to use an external Splunk instance, you can install the Splunk App for Phantom Reporting onto your Splunk instance to gain insights into Phantom automation and containers:
Splunk Add-on for Phantom https://splunkbase.splunk.com/app/4726/
The Splunk Add-on for Phantom is a Splunk add-on is designed for use with Splunk ITSI to monitor your Phantom instance, although ITSI is not a pre-requisite, it can also be used with Splunk Enterprise but it publishes metrics in a manner that is consistent with ITSI health metrics. It also expects installation of the Phantom Remote Search add-on. The Phantom Remote Search add-on defines indexes and roles used by Phantom when Phantom is configured to use an external Splunk instance for search data. The Phantom Remote Search add-on is required in order to use the Content Pack for Monitoring Phantom as a Service. If you do want to use Splunk ITSI to monitor Phantom, you can follow the documentation for that here:
For more information about Phantom, register at https://my.phantom.us/ which will give you access to knowledge articles, documentation, playbooks, and the OVA for Phantom so you can try it out yourself!
Need more help? Contact us today!