Integrating Splunk Phantom with Splunk Enterprise

By: Joe Wohar | Splunk Consultant


There are multiple apps that can be used to integrate Phantom with Splunk, each exists for a different reason. Some of the functionality overlaps. The intent of this post is to provide a guide to knowing which one to leverage based upon what environment you are working in and what use cases are driving your requirement.


Application Install Target Usage
Splunk App for Phantom Phantom Pull event data from Splunk, push event data to Splunk, add Splunk actions to Phantom playbooks.
Phantom App for Splunk Splunk Push event data to Phantom
Phantom Remote Search Splunk Push Phantom data to Splunk
Splunk App for Phantom Reporting Splunk Report on Phantom data
Splunk Add-on for Phantom Splunk Used for monitoring Phantom as a service in Splunk ITSI


Splunk App for Phantom

The Splunk App for Phantom is a Phantom app used to connect Phantom to Splunk. Phantom apps that are built by Splunk are installed in Phantom by default, so no installation is required, however, you’ll need to configure an asset for it. In the asset settings, you’ll need the IP/hostname of your Splunk instance as well as a Splunk user with sufficient access to the data you wish to search. The Splunk App for Phantom can do the following: post data to Splunk as events, update notable events, run SPL queries, and pull events from Splunk to Phantom. 

  • To pull events from Splunk to Phantom, you’ll need to configure the asset settings and ingest settings in your configured asset. It is recommended that you create a new label in Phantom for the events you pull in from Splunk, which will make it easier to find the events in the Analyst Queue in Phantom.
  • There are four included actions which can be used in playbooks:
    • get host events – retrieves events about a specific host from Splunk
    • post data – creates an event in your Splunk instance
    • run query – runs an SPL query in Splunk and returns the results of the search to Phantom
    • update event – updates specified notable events within your Splunk Enterprise Security instance

For specific details on using these actions, search for “splunk” on the Apps page in Phantom and click the Documentation link:


Phantom App for Splunk

The Phantom App for Splunk is a Splunkbase app that is installed in Splunk and connects Splunk to Phantom. The main function of this app is to send data from Splunk to Phantom. First, you’ll need to go through the Phantom Server Configuration page to connect Splunk to Phantom, which will require an automation user in Phantom. Then, to send events to Phantom, you’ll need to create a saved search in Splunk where the results of the search are the events you want ingested into Phantom. Open the Phantom App for Splunk and create a New Saved Search Export to start sending events over. There is also an option to create a Data Model Export, which follows the same set of steps used for exporting saved search results to Phantom:

This app also contains alert actions that can be used in Splunk Enterprise Security:

  • Send to Phantom – sends the event(s) that triggered the alert to Phantom
  • Run Playbook in Phantom – sends the event(s) that triggered the alert to Phantom and runs the specified playbook on them

For more information about the Phantom App for Splunk, review the following documents:


Phantom Remote Search

The Phantom Remote Search app is used for multiple reasons. Phantom has an embedded Splunk Enterprise instance built into it, however, you can configure Phantom to use an external Splunk Enterprise instance instead via this app. To do this, you’ll need to install the Phantom Remote Search app onto your Splunk instance, which contains Splunk roles needed for creating two Splunk users required by Phantom. You’ll also need to setup an HTTP Event Collector (HEC) input for receiving Phantom data. After installing the app, creating the necessary users, and creating the HEC input, you can go over to Phantom and change the “Search Settings” in the “Administration Settings”:

Click the following link for a more detailed list of instructions:

This app is also very useful because once you have completed the setup, Phantom will start sending data about itself over to Splunk. This allows you to shift your Phantom reporting out of Phantom and into Splunk. If your Phantom instance is brand new with no events and no active playbooks, configure an asset or create a playbook to test whether or not Phantom data is being sent to Splunk.


Splunk App for Phantom Reporting

If you have already installed the Phantom Remote Search app onto your Splunk instance and configured your Search Settings in Phantom to use an external Splunk instance, you can install the Splunk App for Phantom Reporting onto your Splunk instance to gain insights into Phantom automation and containers:

Splunk Add-on for Phantom

The Splunk Add-on for Phantom is a Splunk add-on is designed for use with Splunk ITSI to monitor your Phantom instance, although ITSI is not a pre-requisite, it can also be used with Splunk Enterprise but it publishes metrics in a manner that is consistent with ITSI health metrics. It also expects installation of the Phantom Remote Search add-on. The Phantom Remote Search add-on defines indexes and roles used by Phantom when Phantom is configured to use an external Splunk instance for search data. The Phantom Remote Search add-on is required in order to use the Content Pack for Monitoring Phantom as a Service. If you do want to use Splunk ITSI to monitor Phantom, you can follow the documentation for that here:

For more information about Phantom, register at which will give you access to knowledge articles, documentation, playbooks, and the OVA for Phantom so you can try it out yourself!

Need more help? Contact us today!