In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom.
For some reason the "Send to Phantom" works fine and I can see the Phantom servers I want to send to. However, the "Run Playbook in Phantom" server drop down comes back with no results.
Is there something I need to do on the Phantom Server side (maybe with the playbooks I want to use themselves?) so I can use this option, or is this a separate permission issue on Splunk's side?
Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.
It cannot be applied to the Enterprise version.
If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.
Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES.
Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.