Splunk Enterprise Security
Highlighted

Phantom: "Run Playbook in Phantom" Servers not being listed as Options

Path Finder

In Splunk ES, under the alert actions for saved searches, there are 2 options for sending alerts to Phantom.

  1. Send to Phantom
  2. Run Playbook in Phantom

For some reason the "Send to Phantom" works fine and I can see the Phantom servers I want to send to. However, the "Run Playbook in Phantom" server drop down comes back with no results.
Is there something I need to do on the Phantom Server side (maybe with the playbooks I want to use themselves?) so I can use this option, or is this a separate permission issue on Splunk's side?

0 Karma
Highlighted

Re: Phantom: "Run Playbook in Phantom" Servers not being listed as Options

Path Finder

Found the fix.
You need to "Sync Playbooks" in the Phantom Server Configuration Settings.
Once you are in that portal on ES, select the "Manage" drop down for the Phantom Server you want to run playbooks on and click the "Sync playbooks" option.

View solution in original post

Highlighted

Re: Phantom: "Run Playbook in Phantom" Servers not being listed as Options

Path Finder

It cannot be applied to the Enterprise version.

If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES.

0 Karma