Getting Data In

Add-on for Phantom Remote search app

VijaySrrie
Builder

Hi,

I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes. 

We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes?

We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?

 

https://splunkbase.splunk.com/app/4153/

Labels (3)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)

VijaySrrie
Builder

I am testing this in multicluster sandpit

1. HEC token is created in HF

2. 14 indexes are created in Indexer

3. Roles/users/Splunk app for phantom reporting app is created in Search Head

4. In Phantom end --> HF IP ,Users, HEC token is given

But Test connectivity is failing

vijaysri_0-1634697398723.png

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@VijaySrrie  I would suggest to post a new question as this was already closed and topic is different from originally posted on this.

0 Karma

VijaySrrie
Builder

We have roles -  [role_PhantomDelete] and [role_PhantomSearch]
Can we go ahead and create roles as per our splunk environment?

We have two users - phantomsearchuser and phantomdeleteuser (Can we go with different user ID's as per our user-id creation policy)

1. The index creation should go to masterapps 

2. Have created a new SearchHead app for both the add-ons (Phantom Remote search app  and Splunk App for Phantom reporting )

3. HEC token will go to deployment-apps

4. We have some props.conf and transforms.conf in both the add-ons (where should that go?)

Now, I am stuck with userID creation and role creation.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

if you change users then you should update same phantom product that runs differently, there are dashboard splunk phantom supported apps provide rely on these indexes, you need to change at heaps of places.

I wouldn't do changes unless understand where to update them, it's too difficult when things won't work as this product is relatively new.

venkatasri
SplunkTrust
SplunkTrust

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

Tags (1)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...