Splunk SOAR

Automatically Forward Events to Phantom

jhuapl123454321
Explorer

I am using Splunk Enterprise and wish to automatically forward events to Phantom. I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button. Is there a good method to automate this?

The Phantom add-on has an alert action to create an event in Phantom, but the add-on's README says this functionality is only enabled for Splunk Enterprise Security.

Labels (2)
0 Karma
1 Solution

jhuapl123454321
Explorer

The events started forwarding automatically after I specified the event forwarding saved search schedule to be run every minute, instead of real time. I am using Splunk Enterprise 8.0.2 and Phantom 4.8.

View solution in original post

0 Karma

jhuapl123454321
Explorer

The events started forwarding automatically after I specified the event forwarding saved search schedule to be run every minute, instead of real time. I am using Splunk Enterprise 8.0.2 and Phantom 4.8.

0 Karma

ansusabu
Communicator

Create an alert for the query and add the action as 'send events to phantom'. Add a schedule for running the query as well while creating the alert.
https://my.phantom.us/4.6/docs/admin/splunk

0 Karma

jhuapl123454321
Explorer

The alert actions 'Sent to Phantom' and 'Run Playbook in Phantom' are for Splunk ES. I am only using Splunk Enterprise.

From the Phantom docs:

"If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.

Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES"

0 Karma

ansusabu
Communicator

Then you can save the query in Splunk and use the Phantom app in Splunk. Goto 'export new saved search' , then select the query you saved.

If you are not receiving the fields you are expecting in Phantom, then use, stats command or field command in the query to extract the required fields.

0 Karma

jhuapl123454321
Explorer

I am currently using the Phantom app and a saved search. The data is going to Phantom, but I have to press the "Send to Phantom" button to do it.

The problem is not getting Splunk data to Phantom. It is determining if there is a way to do it automatically such that new events going to Splunk get sent to Phantom without requiring the manual button press.

0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

The saved search events should be forwarded to Phantom automatically on its own when using the Event Forwarding Exports in the Phantom App for Splunk.

Are you setting the Schedule value appropriately?

Are the permissions on the saved search configured as needed for the Phantom app to utilize it?

Which version of Splunk Enterprise and the Phantom App for Splunk are you running?

The Phantom app writes useful logs to splunk_home/var/log/splunk/phantom_configuration.log and splunk_home/var/log/splunk/phantom_forwarding.log

0 Karma

jhuapl123454321
Explorer

Thank you, I was able to get the events to forward by toggling the schedule.

0 Karma

camar
Engager

Hi, I'm facing the same issue as you and it seems that you overcame

What do yo mean by 'toggling the schedule' ? Please some details will be appreciate. thank you

0 Karma

chaixl
Explorer

Can you tell me how to realize automatic forwarding events to phantom? I'm in a situation similar to yours. I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, when the saved search has new logs, phantom will not receive it.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...