Archive

Can Phantom be integrated with Splunk without Splunk ES being used?

Communicator

I want to integrate Phantom for SOC automation and I was wondering if I can integrate Splunk without ES app and there is very little documentation about it. Any guidance would be helpful.

0 Karma

SplunkTrust
SplunkTrust

Yes, it can!

There was nothing involved in the setup of Phantom in our environment (which I just did this morning, in fact) that required ES.

Follow the docs (or this youtube video) on setting up the linkage pieces with the API keys and things, right? Once you have the two set up that they should be able to talk to one another...

Craft yourself up a search for which you'd like to send the results over to Phantom. For instance,

sourcetype="symantec:ep:behavior:file"  action="blocked" NOT Autorun earliest=-5m

Or maybe

sourcetype="cisco:amp:event" earliest=-5m

Then once you get that so it shows what you need, click Save As, Alert.

Fill out the settings as appropriate and off you go!

FYI, in this case I have hardcoded a 5 minute window - we don't use RT around here much because it's too abusive to performance, so I use a cron schedule of */5 * * * * and trigger when Number of Results is greater than 0 (once for each result), then add action for Send to Phantom and pick your instance, sensitivity and severity.

Wait for one to occur (or, in this case, save the EICAR string to disk!) and in a few moments you'll see it in Phantom.

SplunkTrust
SplunkTrust

Obviously you'll have to come up with your own searches... those are just two that we can use in our environment to have Phantom trigger full scans on a PC, or whatever. Do some lookups and things. 🙂

0 Karma

Communicator

This was hugely helpful.
I did setup the Phantom and Splunk to talk to each other. All good there.

Wrote a query and setup the alert and as action I chose Send to Phantom option. Alert was triggered but I dont see anything in Phantom. Its been about 5 minutes.

Am I missing something?

0 Karma

SplunkTrust
SplunkTrust

In our case they didn't seem to show up right away on the Home dashboard[1], but they did show up right away in Sources -> Events. They are named like the alert is named in Splunk.

Do you see them there? We can troubleshoot more later, but let's at least confirm there's really an issue to troubleshoot.

[1] They NOW show up in the dashboard, so I dunno about that. I'm not a Phantom expert. In fact, I only barely know the little bit I do know. 🙂

0 Karma

Motivator

You can integrate Phantom app even without Splunk ES.