Splunk SOAR (f.k.a. Phantom)

Phantom: How to retrieve audit logs from Phantom and ingest into Enterprise Security on Splunk?

sdubey_splunk
Splunk Employee
Splunk Employee

I want the below audit information from Phantom server ingested into Splunk ES and how to retrieve it?
1) Login
Success

Failure

I can see only login and logout information in : /var/log/phantom/wsgi.log
[pid: 13170|app: 0|req: 6451/17274] 10.3.3.3 () {52 vars in 986 bytes} [Tue Jul 16 02:40:38 2019] POST /login => generated 36 bytes in 48 msecs (HTTP/1.1 200) 6 headers in 413 bytes (1 switches on core 0)

2) Logout info in /var/log/phantom/wsgi.log

[pid: 2470|app: 0|req: 4279/17278] 10.3.3.3 () {46 vars in 928 bytes} [Tue Jul 16 02:41:26 2019] GET /logout?3444838 => generated 0 bytes in 9 msecs (HTTP/1.1 302) 5 headers in 206 bytes (1 switches on core 0)
3) ID : How to get the below data from Phantom server? Where is it located?
Creation
Modification
Deletion
3) Roles
Creation
Modification
Deletion

Labels (2)
Tags (1)
0 Karma
1 Solution

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma

pdavis2_splunk
Splunk Employee
Splunk Employee
0 Karma

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!