Splunk Phantom
Highlighted

Automatically Forward Events to Phantom

I am using Splunk Enterprise and wish to automatically forward events to Phantom. I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button. Is there a good method to automate this?

The Phantom add-on has an alert action to create an event in Phantom, but the add-on's README says this functionality is only enabled for Splunk Enterprise Security.

Labels (2)
0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

Communicator

Create an alert for the query and add the action as 'send events to phantom'. Add a schedule for running the query as well while creating the alert.
https://my.phantom.us/4.6/docs/admin/splunk

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

The alert actions 'Sent to Phantom' and 'Run Playbook in Phantom' are for Splunk ES. I am only using Splunk Enterprise.

From the Phantom docs:

"If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES"

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

Communicator

Then you can save the query in Splunk and use the Phantom app in Splunk. Goto 'export new saved search' , then select the query you saved.

If you are not receiving the fields you are expecting in Phantom, then use, stats command or field command in the query to extract the required fields.

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

I am currently using the Phantom app and a saved search. The data is going to Phantom, but I have to press the "Send to Phantom" button to do it.

The problem is not getting Splunk data to Phantom. It is determining if there is a way to do it automatically such that new events going to Splunk get sent to Phantom without requiring the manual button press.

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

Path Finder

The saved search events should be forwarded to Phantom automatically on its own when using the Event Forwarding Exports in the Phantom App for Splunk.

Are you setting the Schedule value appropriately?

Are the permissions on the saved search configured as needed for the Phantom app to utilize it?

Which version of Splunk Enterprise and the Phantom App for Splunk are you running?

The Phantom app writes useful logs to splunk_home/var/log/splunk/phantomconfiguration.log and *splunkhome*/var/log/splunk/phantom_forwarding.log

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

Thank you, I was able to get the events to forward by toggling the schedule.

0 Karma
Highlighted

Re: Automatically Forward Events to Phantom

The events started forwarding automatically after I specified the event forwarding saved search schedule to be run every minute, instead of real time. I am using Splunk Enterprise 8.0.2 and Phantom 4.8.

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.