Getting Data In

Data Ingestion into Phantom

avinash34
Engager

How do i ingest data into Splunk Phantom ?

Tags (2)
0 Karma

ansusabu
Communicator

Phantom has some EDR/firewall apps that can help in polling data from the EDR/firewall sources. If it is not present, you can use API to ingest data into phantom.

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

To add on to this, any App in phantom that has as "on-poll" action can be configured for data ingestion on the associated type.

We also allow you to write your own apps if they aren't available out of the box.
see:
https://github.com/phantomcyber/phantom-apps/
https://docs.splunk.com/Documentation/Phantom/4.8/DevelopApps/Overview

0 Karma

whrg
Motivator

Do you want to ingest data from a Splunk instance?

Check out the Splunk App for Phantom:
https://splunkbase.splunk.com/app/3411/

Under details, you will find a link to the documentation. It includes the chapter "Event Forwarding".

When you install this app, you will get new Phantom-related trigger actions like "Run Playbook in Phantom". This way, when a Splunk alert gets triggered, it will send the events to Phantom and run a specified playbook.

0 Karma

avinash34
Engager

I want to ingest data from other sources like a firewall or an EDR solution , is there is way to directly add data sources?

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!