topic Re: Data Ingestion into Phantom in Getting Data In

Data Ingestion into Phantom

avinash34 — Mon, 23 Mar 2020 17:03:38 GMT

How do i ingest data into Splunk Phantom ?

Re: Data Ingestion into Phantom

whrg — Mon, 23 Mar 2020 18:20:19 GMT

Do you want to ingest data from a Splunk instance?

Check out the Splunk App for Phantom:
https://splunkbase.splunk.com/app/3411/

Under details, you will find a link to the documentation. It includes the chapter "Event Forwarding".

When you install this app, you will get new Phantom-related trigger actions like "Run Playbook in Phantom". This way, when a Splunk alert gets triggered, it will send the events to Phantom and run a specified playbook.

Re: Data Ingestion into Phantom

avinash34 — Tue, 24 Mar 2020 05:55:33 GMT

I want to ingest data from other sources like a firewall or an EDR solution , is there is way to directly add data sources?

Re: Data Ingestion into Phantom

ansusabu — Tue, 24 Mar 2020 06:25:09 GMT

Phantom has some EDR/firewall apps that can help in polling data from the EDR/firewall sources. If it is not present, you can use API to ingest data into phantom.

Re: Data Ingestion into Phantom

sam_splunk — Wed, 25 Mar 2020 22:18:04 GMT

To add on to this, any App in phantom that has as "on-poll" action can be configured for data ingestion on the associated type.

We also allow you to write your own apps if they aren't available out of the box.
see:
https://github.com/phantomcyber/phantom-apps/
https://docs.splunk.com/Documentation/Phantom/4.8/DevelopApps/Overview