Splunk Phantom

I wonder about the configuration of phantom.

New Member


I wonder about the configuration of phantom.

Question 1.

Most of company in Korea need to separated network such as air-gap.

All employees use a separate PC from the Internet and a internal(for working) PC.

and each user uses two PC that is internet and internal PC.

Of course my office also have that problems.
One user operates the security control system for the internal and external networks.

Since the communication between the two networks is not possible, the phantom must be operated separately.

In this situation, do I need to purchase phantom seat licenses for each network?

Or do I only have to buy one per user?

Question 2.

phantom's competitor, demisto, introduced the concept of Engine (proxy) to prepare for this environment.

The engine is described below.

Demisto Engines

Demisto engines are proxy servers installed on-premise that enable the unified functioning of diverse security environments without compromising any firewall or network restrictions.

Users can download engines from the Demisto interface and choose which integrations to deploy through engines. All communication between engines and the Demisto server is conducted over HTTPS

Does phantom provide a secure way to connect to other networks with the same concept as demisto's engine?

Question 3.

I already knew phantom provides clustering.

For splunk enterprise, the purpose of clustering and the role for each node are very clear.

However, it is so difficult for why nodes exist, what role each node has, and why it should be clustered in Phantom
I would like to know a detailed explanation of clustering.


Labels (1)
Tags (1)
0 Karma

Splunk Employee
Splunk Employee


Quick answers for the first two:

Question 1) You would have to purchase Phantom for each environment. The per-seat model doesn't work across instances. Your sales engineering can help answer further questions on that .

Question 2) This is not something we support today but is a planned feature.

For question 3, there is a blog here: https://www.splunk.com/en_us/blog/conf-splunklive/introducing-the-splunk-phantom-platform-version-4-... (which is a little dated but still in the 4.x family) and documentation here: https://docs.splunk.com/Documentation/Phantom/4.8/Admin/Clustering

0 Karma

Splunk Employee
Splunk Employee

You can configure apps ex. VirusTotal to go through a web proxy. For details, please check this page :


0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!