Splunk Enterprise Security

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

jamolson
Path Finder

In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom.

  1. Send to Phantom
  2. Run Playbook in Phantom

For some reason the "Send to Phantom" works fine and I can see the Phantom servers I want to send to. However, the "Run Playbook in Phantom" server drop down comes back with no results.
Is there something I need to do on the Phantom Server side (maybe with the playbooks I want to use themselves?) so I can use this option, or is this a separate permission issue on Splunk's side?

0 Karma
1 Solution

jamolson
Path Finder

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

View solution in original post

louismai
Path Finder

It cannot be applied to the Enterprise version.

If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES.

0 Karma

jamolson
Path Finder

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...