Splunk SOAR (f.k.a. Phantom)

Phantom: How to retrieve audit logs from Phantom and ingest into Enterprise Security on Splunk?

sdubey_splunk
Splunk Employee
Splunk Employee

I want the below audit information from Phantom server ingested into Splunk ES and how to retrieve it?
1) Login
Success

Failure

I can see only login and logout information in : /var/log/phantom/wsgi.log
[pid: 13170|app: 0|req: 6451/17274] 10.3.3.3 () {52 vars in 986 bytes} [Tue Jul 16 02:40:38 2019] POST /login => generated 36 bytes in 48 msecs (HTTP/1.1 200) 6 headers in 413 bytes (1 switches on core 0)

2) Logout info in /var/log/phantom/wsgi.log

[pid: 2470|app: 0|req: 4279/17278] 10.3.3.3 () {46 vars in 928 bytes} [Tue Jul 16 02:41:26 2019] GET /logout?3444838 => generated 0 bytes in 9 msecs (HTTP/1.1 302) 5 headers in 206 bytes (1 switches on core 0)
3) ID : How to get the below data from Phantom server? Where is it located?
Creation
Modification
Deletion
3) Roles
Creation
Modification
Deletion

Labels (2)
Tags (1)
0 Karma
1 Solution

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma

pdavis2_splunk
Splunk Employee
Splunk Employee
0 Karma

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...