Hi,
Using Phantom 3.5 on Splunk 7.0.1 & ESS 5.0.
Having an issue when users NOT in the Splunk Admin role want's to "Send to Phantom" via "Adaptive response actions" - then the population for the phantom server isn't found. If the user have the Admin role it works fine - but I don't want the security users/role to have the Admin role.
Any idear on what to do to get the population to return the phantom server?
KR //Torben
I had encountered another issue. Adaptive response action GUI on my search head says that the search hasn't returned any results to populate phantom instance & playbook dropdown. After a little research, I had figured out that the search is delegated to the indexer, which doesn't have the phantom instance configured.
To solve it, search need to be run locally, on the search head or phantom needs to be configured on indexing layer as well.
I took the easy way and changed the runphantomplaybook.html and sendtophantom.html and add splunk_server=local before the pipe.