Solved: Phantom: "Run Playbook in Phantom" Servers not bei...

jamolson · ‎07-08-2019

In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom.

Send to Phantom
Run Playbook in Phantom

For some reason the "Send to Phantom" works fine and I can see the Phantom servers I want to send to. However, the "Run Playbook in Phantom" server drop down comes back with no results.
Is there something I need to do on the Phantom Server side (maybe with the playbooks I want to use themselves?) so I can use this option, or is this a separate permission issue on Splunk's side?

jamolson · ‎07-19-2019

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

View solution in original post

louismai · ‎11-17-2019

It cannot be applied to the Enterprise version.

If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES.

jamolson · ‎07-19-2019

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...