Splunk SOAR

Phantom: How to retrieve audit logs from Phantom and ingest into Enterprise Security on Splunk?

sdubey_splunk
Splunk Employee
Splunk Employee

I want the below audit information from Phantom server ingested into Splunk ES and how to retrieve it?
1) Login
Success

Failure

I can see only login and logout information in : /var/log/phantom/wsgi.log
[pid: 13170|app: 0|req: 6451/17274] 10.3.3.3 () {52 vars in 986 bytes} [Tue Jul 16 02:40:38 2019] POST /login => generated 36 bytes in 48 msecs (HTTP/1.1 200) 6 headers in 413 bytes (1 switches on core 0)

2) Logout info in /var/log/phantom/wsgi.log

[pid: 2470|app: 0|req: 4279/17278] 10.3.3.3 () {46 vars in 928 bytes} [Tue Jul 16 02:41:26 2019] GET /logout?3444838 => generated 0 bytes in 9 msecs (HTTP/1.1 302) 5 headers in 206 bytes (1 switches on core 0)
3) ID : How to get the below data from Phantom server? Where is it located?
Creation
Modification
Deletion
3) Roles
Creation
Modification
Deletion

Labels (2)
Tags (1)
0 Karma
1 Solution

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

View solution in original post

0 Karma

pdavis2_splunk
Splunk Employee
Splunk Employee
0 Karma

sdubey_splunk
Splunk Employee
Splunk Employee

Phantom audit information can be read via a REST API. You can access audit information for individual Users, Roles, Playbooks, and Containers. Or you can access all available audit information at once, with or without additional filtering. You find complete details at url https://my.phantom.us/4.0/docs/rest/audit.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...