Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Forward Events into Phantom

mripp
New Member
‎07-03-2020 07:35 PM

I am currently using Splunk Enterprise 8.0.3 and Phantom version 4.8.24304. All Phantom apps have been installed and are configured correctly.

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

I have tried two ways of forwarding data into Phantom from Splunk; through the event forwarding of saved searches and through the HTTP Event Collector (HEC). Splunk Web and Phantom are on two different VM, I am not able to connect utilizing the HEC in Phantom under the Search Settings option, and the saved search for event forwarding never appears in Phantom.

For the HEC, I used the following URL: hxxp://splunk_host:8088/services/collector/event .  Each time whether using http or https, the request 404's out.

The saved search function allows me to choose to "Send to Phantom", but again I am not seeing any events in Phantom.  I have verified connectivity between the VM's and there are no issues there. The problem lies somewhere with my HEC and the saved searches for forwarding.

My VM is listening on port 8088 for HEC.

Any help would be greatly appreciated.

Labels (2)
Tags (1)
0 Karma
Reply

smcclory
Loves-to-Learn
‎10-16-2020 09:53 AM

Hello @mripp ,

The "Send to Phantom" only works with with Enterprise Security currently.
We have to use the script phantom_forward.py even though scripts are deprecated. $SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_forward.py is the location of the script.
You should be able to see it if you select the alert option for a script while in the Splunk Add-on for Phantom app.

Our problem is currently with the phantom.conf replication causing Splunk SH Clustering issues when a real-time search is running. It replicates across the cluster so often that it causes baseline and snapshot replication problems.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...