Splunk Enterprise Security

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

jamolson
Path Finder

In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom.

  1. Send to Phantom
  2. Run Playbook in Phantom

For some reason the "Send to Phantom" works fine and I can see the Phantom servers I want to send to. However, the "Run Playbook in Phantom" server drop down comes back with no results.
Is there something I need to do on the Phantom Server side (maybe with the playbooks I want to use themselves?) so I can use this option, or is this a separate permission issue on Splunk's side?

0 Karma
1 Solution

jamolson
Path Finder

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

View solution in original post

louismai
Path Finder

It cannot be applied to the Enterprise version.

If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES.

0 Karma

jamolson
Path Finder

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...