Yes, it can!
There was nothing involved in the setup of Phantom in our environment (which I just did this morning, in fact) that required ES.
Follow the docs (or this youtube video) on setting up the linkage pieces with the API keys and things, right? Once you have the two set up that they should be able to talk to one another...
Craft yourself up a search for which you'd like to send the results over to Phantom. For instance,
sourcetype="symantec:ep:behavior:file" action="blocked" NOT Autorun earliest=-5m
Then once you get that so it shows what you need, click Save As, Alert.
Fill out the settings as appropriate and off you go!
FYI, in this case I have hardcoded a 5 minute window - we don't use RT around here much because it's too abusive to performance, so I use a cron schedule of
*/5 * * * * and trigger when Number of Results is greater than 0 (once for each result), then add action for Send to Phantom and pick your instance, sensitivity and severity.
Wait for one to occur (or, in this case, save the EICAR string to disk!) and in a few moments you'll see it in Phantom.
Obviously you'll have to come up with your own searches... those are just two that we can use in our environment to have Phantom trigger full scans on a PC, or whatever. Do some lookups and things. 🙂
This was hugely helpful.
I did setup the Phantom and Splunk to talk to each other. All good there.
Wrote a query and setup the alert and as action I chose Send to Phantom option. Alert was triggered but I dont see anything in Phantom. Its been about 5 minutes.
Am I missing something?
In our case they didn't seem to show up right away on the Home dashboard, but they did show up right away in Sources -> Events. They are named like the alert is named in Splunk.
Do you see them there? We can troubleshoot more later, but let's at least confirm there's really an issue to troubleshoot.
 They NOW show up in the dashboard, so I dunno about that. I'm not a Phantom expert. In fact, I only barely know the little bit I do know. 🙂