Splunk SOAR (f.k.a. Phantom)

Phantom: How to retrieve audit logs from Phantom and ingest into Enterprise Security on Splunk?

sdubey_splunk
Splunk Employee
Splunk Employee

I want the below audit information from Phantom server ingested into Splunk ES and how to retrieve it?
1) Login
Success

Failure

I can see only login and logout information in : /var/log/phantom/wsgi.log
[pid: 13170|app: 0|req: 6451/17274] 10.3.3.3 () {52 vars in 986 bytes} [Tue Jul 16 02:40:38 2019] POST /login => generated 36 bytes in 48 msecs (HTTP/1.1 200) 6 headers in 413 bytes (1 switches on core 0)

2) Logout info in /var/log/phantom/wsgi.log

[pid: 2470|app: 0|req: 4279/17278] 10.3.3.3 () {46 vars in 928 bytes} [Tue Jul 16 02:41:26 2019] GET /logout?3444838 => generated 0 bytes in 9 msecs (HTTP/1.1 302) 5 headers in 206 bytes (1 switches on core 0)
3) ID : How to get the below data from Phantom server? Where is it located?
Creation
Modification
Deletion
3) Roles
Creation
Modification
Deletion

Labels (2)
Tags (1)
0 Karma
1 Solution

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma

pdavis2_splunk
Splunk Employee
Splunk Employee
0 Karma

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...