Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Phantom: How to retrieve audit logs from Phantom and ingest into Enterprise Security on Splunk?

sdubey_splunk
Splunk Employee
Splunk Employee
‎07-23-2019 12:36 AM

I want the below audit information from Phantom server ingested into Splunk ES and how to retrieve it?
1) Login
Success

Failure

I can see only login and logout information in : /var/log/phantom/wsgi.log
[pid: 13170|app: 0|req: 6451/17274] 10.3.3.3 () {52 vars in 986 bytes} [Tue Jul 16 02:40:38 2019] POST /login => generated 36 bytes in 48 msecs (HTTP/1.1 200) 6 headers in 413 bytes (1 switches on core 0)

2) Logout info in /var/log/phantom/wsgi.log

[pid: 2470|app: 0|req: 4279/17278] 10.3.3.3 () {46 vars in 928 bytes} [Tue Jul 16 02:41:26 2019] GET /logout?3444838 => generated 0 bytes in 9 msecs (HTTP/1.1 302) 5 headers in 206 bytes (1 switches on core 0)
3) ID : How to get the below data from Phantom server? Where is it located?
Creation
Modification
Deletion
3) Roles
Creation
Modification
Deletion

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdubey_splunk
Splunk Employee
Splunk Employee
‎07-23-2019 12:37 AM

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pdavis2_splunk
Splunk Employee
Splunk Employee
‎04-10-2020 11:35 AM

New URL in case people are looking for it: https://docs.splunk.com/Documentation/Phantom/4.8/PlatformAPI/RESTAudit

0 Karma
Reply
Solved! Jump to solution
Solution

sdubey_splunk
Splunk Employee
Splunk Employee
‎07-23-2019 12:37 AM

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...