Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-on for Phantom Remote search app

VijaySrrie
Builder
‎10-11-2021 06:14 PM

Hi,

I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes. 

We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes?

We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?

 

https://splunkbase.splunk.com/app/4153/

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-19-2021 07:36 PM

I am testing this in multicluster sandpit

1. HEC token is created in HF

2. 14 indexes are created in Indexer

3. Roles/users/Splunk app for phantom reporting app is created in Search Head

4. In Phantom end --> HF IP ,Users, HEC token is given

But Test connectivity is failing

vijaysri_0-1634697398723.png

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-19-2021 08:14 PM

@VijaySrrie  I would suggest to post a new question as this was already closed and topic is different from originally posted on this.

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-11-2021 10:21 PM

We have roles -  [role_PhantomDelete] and [role_PhantomSearch]
Can we go ahead and create roles as per our splunk environment?

We have two users - phantomsearchuser and phantomdeleteuser (Can we go with different user ID's as per our user-id creation policy)

1. The index creation should go to masterapps 

2. Have created a new SearchHead app for both the add-ons (Phantom Remote search app  and Splunk App for Phantom reporting )

3. HEC token will go to deployment-apps

4. We have some props.conf and transforms.conf in both the add-ons (where should that go?)

Now, I am stuck with userID creation and role creation.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 10:45 PM

if you change users then you should update same phantom product that runs differently, there are dashboard splunk phantom supported apps provide rely on these indexes, you need to change at heaps of places.

I wouldn't do changes unless understand where to update them, it's too difficult when things won't work as this product is relatively new.

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top