Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I wonder about the configuration of phantom.

ragonfly
New Member
‎02-11-2020 09:35 PM

Hello.

I wonder about the configuration of phantom.

Question 1.

Most of company in Korea need to separated network such as air-gap.

All employees use a separate PC from the Internet and a internal(for working) PC.

and each user uses two PC that is internet and internal PC.

Of course my office also have that problems.
One user operates the security control system for the internal and external networks.

Since the communication between the two networks is not possible, the phantom must be operated separately.

In this situation, do I need to purchase phantom seat licenses for each network?

Or do I only have to buy one per user?

Question 2.

phantom's competitor, demisto, introduced the concept of Engine (proxy) to prepare for this environment.

The engine is described below.

Demisto Engines

Demisto engines are proxy servers installed on-premise that enable the unified functioning of diverse security environments without compromising any firewall or network restrictions.

Users can download engines from the Demisto interface and choose which integrations to deploy through engines. All communication between engines and the Demisto server is conducted over HTTPS

Does phantom provide a secure way to connect to other networks with the same concept as demisto's engine?

Question 3.

I already knew phantom provides clustering.

For splunk enterprise, the purpose of clustering and the role for each node are very clear.

However, it is so difficult for why nodes exist, what role each node has, and why it should be clustered in Phantom
I would like to know a detailed explanation of clustering.

Thanks,

Labels (1)
Labels
Tags (1)
0 Karma
Reply

sam_splunk
Splunk Employee
Splunk Employee
‎03-03-2020 02:39 PM

Hello,

Quick answers for the first two:

Question 1) You would have to purchase Phantom for each environment. The per-seat model doesn't work across instances. Your sales engineering can help answer further questions on that .

Question 2) This is not something we support today but is a planned feature.

For question 3, there is a blog here: https://www.splunk.com/en_us/blog/conf-splunklive/introducing-the-splunk-phantom-platform-version-4-... (which is a little dated but still in the 4.x family) and documentation here: https://docs.splunk.com/Documentation/Phantom/4.8/Admin/Clustering

0 Karma
Reply

ppang
Splunk Employee
Splunk Employee
‎03-02-2020 08:29 AM

You can configure apps ex. VirusTotal to go through a web proxy. For details, please check this page :

https://my.phantom.us/kb/85/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...