Splunk SOAR

Phantom Architecture Concern

YeswanthReddy
Engager

Hi All,

Good Day!!

This is an Splunk Phantom Architecture question, which we are in the intial stage of building the Splunk Phantom and considering C1E+ netwrok topology(snip attached) as we have external Splunk instance (both Indexer & Search head) but the Splunk is on Cloud (saas product)
1. My question is would it support for building the Splunk Phantom with out Splunk embedded instace(which would be part of Splunk Architecture)? as we have external Splunk instance which is on cloud.
2. What is the major functionality of Splunk embedded here in the Phantom Architechture?
3. Any barriers/ issues to build with Phantom infrastructure without Splunk embedded?
4. What is the version of Phantom would support to build without Splunk embedded.

Looking for response from your end, which will help us alot to have a cosnsistent environment.

Regards,
Yeswanth M.

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@YeswanthReddy The remote search app only contains the indexes and configuration for dealing with the data on a Splunk instance. It doesn't do any connections at all.  The data to feed the app comes from a Phantom instance with the External Splunk configured to send data via HEC to the indexing layer. The data can then be read by Phantom if connected to a Search Head via the same external Splunk configuration. 

It depends why you are doing it:

The remote search app is required if you want to be able to use the phantom data for reporting metrics as you can't get access to, or manipulate the data if you don't externalise the Splunk capability. 

In a cluster there are 2 choices:
* embedded splunk - Phantom instance with script run to make it the splunk component
* Your own Splunk 
    - This can be either a Splunk instance(s) managed locally (on-prem/AWS) or Splunk cloud as the capabilty is the same just how you connect to them is different. 

View solution in original post

0 Karma

YeswanthReddy
Engager

@phanTom 
Thanks alot for the heads up , Yeah we are thinking to go with HTTP Event Collector (HEC) methodology via Remote search app to achieve the Search capability but my concern is

1. Do we need still install the Splunk Embedded service even we use the remote search App ? to connect with external Splunk cloud instance. Since we already have an existing Infra build so long before

2. Which one is the best practice , Using the Remote search app or default Splunk embedded service?


Could you please help me to understand the above queries . 

Thanks alot in advance.

Regards,

Yeswanth M.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@YeswanthReddy The remote search app only contains the indexes and configuration for dealing with the data on a Splunk instance. It doesn't do any connections at all.  The data to feed the app comes from a Phantom instance with the External Splunk configured to send data via HEC to the indexing layer. The data can then be read by Phantom if connected to a Search Head via the same external Splunk configuration. 

It depends why you are doing it:

The remote search app is required if you want to be able to use the phantom data for reporting metrics as you can't get access to, or manipulate the data if you don't externalise the Splunk capability. 

In a cluster there are 2 choices:
* embedded splunk - Phantom instance with script run to make it the splunk component
* Your own Splunk 
    - This can be either a Splunk instance(s) managed locally (on-prem/AWS) or Splunk cloud as the capabilty is the same just how you connect to them is different. 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@YeswanthReddy 

1. As long as Phantom has somewhere to store and update the Splunk data then it can be made to work with any Splunk capability. It is a required capability in a cluster and very useful too. 

    - For Splunk Cloud you may have to use a HFW in the same location as your Phantom Cluster, acting as the Splunk indexing capability, that is configured to forward to your Cloud instance. This will use HEC to send data from Phantom to the HFW and then up to the Splunk Cloud instance, but you will also need the Phantom nodes to be able to connect direct to the Cloud instance for the Search capability.

2. The main functionality is to store platform data and Splunk feeds the top search bar in Phantom when you want to search for apps/assets/actions/containers/etc. 

3. You MUST have Splunk when building a Phantom Cluster

4. None

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...