The Timer App can be used to trigger a playbook on your intended schedule (every 5 mins if needed): https://my.phantom.us/4.8/docs/app_reference/phantom_timer The active playbook that will execute when the Timer App containers are created can be comprised of any of the actions in the existing Cherwell App: https://my.phantom.us/4.8/docs/app_reference/phantom_cherwell#get-ticket https://my.phantom.us/4.8/docs/app_reference/phantom_cherwell#list-tickets ... View more

The original question was around editing playbook code within the Phantom UI. What you've described is by design. ... View more

Always keep any custom code you may need within a single block/function inside of a playbook. Custom Function blocks work nicely for this, or you can modify the generated code within an Action, Filter, Decision, API Block. Keeping your custom code within a single block will allow you to continue using the UI builder as expected. ... View more

The saved search events should be forwarded to Phantom automatically on its own when using the Event Forwarding Exports in the Phantom App for Splunk. Are you setting the Schedule value appropriately? Are the permissions on the saved search configured as needed for the Phantom app to utilize it? Which version of Splunk Enterprise and the Phantom App for Splunk are you running? The Phantom app writes useful logs to splunk_home/var/log/splunk/phantom_configuration.log and splunk_home/var/log/splunk/phantom_forwarding.log ... View more

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook: https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook. ... View more

The External Splunk Search feature is used widely by Phantom customers in Production. Can you share any errors your receiving when you run "Test Connection" from the Admin Settings > Search Settings page in the Phantom UI? https://my.phantom.us/4.6/docs/admin/administration#SearchSettings ... View more

Areas to check: Automation user on the Phantom side used for the Splunk integration - check the "Allowed IPs" config, this needs to allow for the Splunk search head to communicate with the Phantom host to create new containers/artifacts via the Forwarding Config Make sure you're entering the entire 'ph-auth-token' value on the Phantom Server Configuration Check the $splunk_home/var/log/splunk/phantom_configuration.log file for more details Please post more information to aid in finding a fix. ... View more

This is a beta "wget App for Phantom" which can perform this action. Ask about it in the phantom-community.slack.com workspace. ... View more

Other available methods: phantom.get_action_results() https://my.phantom.us/4.5/docs/automation/api_data_access#get_action_results phantom.add_note() & phantom.get_notes() https://my.phantom.us/4.5/docs/automation/api_container#add_note https://my.phantom.us/4.5/docs/automation/api_container#get_notes HTTP App for Phantom - 'get data' action - '/rest/action_run' endpoint https://my.phantom.us/4.5/docs/app_reference/phantom_http#get-data https://my.phantom.us/4.5/docs/rest/query ... View more

This issue has been fixed in the most recent v4.5 GA Release. Please upgrade to resolve the problem. Here's the Upgrade KB including the steps needed for upgrading your Phantom instance: https://my.phantom.us/kb/5/ ... View more

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined: https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference You will want to use the ID value of the custom status defined in revewstatuses.conf: "A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event." ... View more

Using the Phantom App for Splunk would be recommended for performing field mappings in that way: https://splunkbase.splunk.com/app/3411/ You can utilize either a Saved Search or Data Model to have events from Splunk Core/ES which meet the defined criteria in your SPL forwarded to the Phantom instance of your choice: ... View more

DHCP can optionally be used for a lab/dev Phantom instance. Are you defining the network adapter settings for the VM in ESXI/VM Workstation/Virtual Box? Are you having trouble reaching the Phantom Web UI? You'll also want to set the needed configuration in the "Configure Network" page within the menu that is displayed when booting up the OVA. https://my.phantom.us/4.5/docs/installation/virtual#AssignVAIP ... View more

Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field. example: notable search_name = “name of notable” | table orig_time, orig_source, src, dest Event (Saved Search) Forwarding On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows: ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving. ... View more

https://answers.splunk.com/answers/708750/phantom-double-parameters-when-send-email.html#answer-769458 ... View more

Example cron entry: Run the purge script every day at 2:15am 15 2 * * * phenv python2.7 /opt/phantom/bin/Purge_Containers.py ... View more

That issue is typically caused by the permissions defined on the Saved Search in question: Permissions When the saved search is first created, the configuration is considered private and stored in the user’s directory. For it to be saved in the correct spot and made available to the Phantom app for Splunk for scheduling, the permissions of the saved search need to be modified as follows: While in context of the saved search app, go to the Settings menu and select ‘Searches, reports, and alerts’. Select the saved search that you want to make available to the Phantom app for Splunk, for scheduling. Under Actions, select ‘Edit’ and ‘Edit Permissions’ Change ‘Display For’ to All apps, ‘Run As’ to User, set read/write permissions as appropriate, and click save. Upon clicking Save, you’ll be dropped back to the ‘Searches, Reports, and Alerts’ screen, where you should now see the Sharing column show ‘Global’ for your search. It will now be available to other apps. ... View more

For your Use Case you will most likely want to use the Format Block's _as_list feature: https://my.phantom.us/4.5/docs/automation/api_playbook#format You Format Block template can look like this: Use this DataPath to pass the full output of the Format Block to the 'body' parameter of the Send Email action block: format_1:formatted_data And your Email Body will look like this: ... View more

An on-prem/AWS/Azure/GCP instance of Phantom can be used with Splunk Cloud, however a Support case will need to be created in order for the API communication port (default 8089) to be opened for the integration to have connectivity. Once the connectivity is enabled, a good way to test it out would be to install & configure the Splunk App for Phantom with the required IP/Hostname, port, and user parameters defined. Here's a KB link for that app: https://my.phantom.us/4.5/docs/app_reference/phantom_splunk#test-connectivity ... View more

This Custom Function example can be used to have a new Artifact created in the current container with the event data returned from a Splunk query executed in a previous playbook block: def add_notable_event_Artifact(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None): phantom.debug('add_notable_event_Artifact() called') results_data_1 = phantom.collect2(container=container, datapath=['run_Notable_query:action_result.data'], action_results=results) results_item_1_0 = [item[0] for item in results_data_1] add_notable_event_Artifact__notable_artifact = None ################################################################################ ## Custom Code Start ################################################################################ # Write your custom code here... notable_artifact_json = results_item_1_0[0][0] # phantom.debug(notable_artifact_json) # Find and replace any JSON Keys which have a "." or "::" in them to have an underscore for k, v in notable_artifact_json.iteritems(): if "." in k or "::" in k or "(" in k or ")" in k: new_key = k.replace('.', '_').replace('::', '_').replace('(', '_').replace(')', '_') notable_artifact_json[new_key] = notable_artifact_json.pop(k) # Add "Notable Event Artifact" to Phantom Event success, message, artifact_id = phantom.add_artifact(container=container['id'], raw_data={}, cef_data=notable_artifact_json, label="notable", name="Notable Event Artifact", severity="medium", identifier=None, artifact_type="notable", field_mapping=None, trace=False, run_automation=False) # phantom.debug(success) # phantom.debug(message) # phantom.debug(artifact_id) ################################################################################ ## Custom Code End ################################################################################ phantom.save_run_data(key='add_notable_event_Artifact:notable_artifact', value=json.dumps(add_notable_event_Artifact__notable_artifact)) return ... View more

It looks like the Management API feature was introduced in the R80 Check Point Release: https://sc1.checkpoint.com/documents/latest/APIs/index.html#api_versions~v1.5%20 Here are the Checkpoint API Docs: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/introduction~v1.5%20 Checkpoint App for Phantom: https://my.phantom.us/4.5/docs/app_reference/phantom_checkpoint ... View more