Splunk SOAR
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Phantom

borisk95
New Member
‎03-12-2019 03:44 PM

Using Splunk Phantomm app and trying to export saved data model filds that are INHERITED parsed and can be forwared
but EXTRACTED field can not be parsed and send to phantom. EX
"_time",host,source,sourcetype,"Source_Ip"
"2019-03-13T00:39:19.000+0200","192.168.0.1",Mikrotik,syslog,"128.201.66.155"

Source ip is parsed in datamodel but could not parse and send thru phantom app

Tags (3)
0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 11:18 PM

Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field.

example:
notable search_name = “name of notable” | table orig_time, orig_source, src, dest

  • Event (Saved Search) Forwarding
  1. On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows:

alt text

  1. ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving.
picture1.png
Preview file
345 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top