Splunk Phantom

borisk95 · ‎03-12-2019

Using Splunk Phantomm app and trying to export saved data model filds that are INHERITED parsed and can be forwared
but EXTRACTED field can not be parsed and send to phantom. EX
"_time",host,source,sourcetype,"Source_Ip"
"2019-03-13T00:39:19.000+0200","192.168.0.1",Mikrotik,syslog,"128.201.66.155"

Source ip is parsed in datamodel but could not parse and send thru phantom app

cblumer_splunk · ‎08-28-2019

Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field.

example:
notable search_name = “name of notable” | table orig_time, orig_source, src, dest

Event (Saved Search) Forwarding

On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows:

## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving.

Splunk Phantom

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?