The Timer App can be used to trigger a playbook on your intended schedule (every 5 mins if needed): https://my.phantom.us/4.8/docs/app_reference/phantom_timer The active playbook that will execute when the Timer App containers are created can be comprised of any of the actions in the existing Cherwell App: https://my.phantom.us/4.8/docs/app_reference/phantom_cherwell#get-ticket https://my.phantom.us/4.8/docs/app_reference/phantom_cherwell#list-tickets ... View more

The original question was around editing playbook code within the Phantom UI. What you've described is by design. ... View more

Always keep any custom code you may need within a single block/function inside of a playbook. Custom Function blocks work nicely for this, or you can modify the generated code within an Action, Filter, Decision, API Block. Keeping your custom code within a single block will allow you to continue using the UI builder as expected. ... View more

The saved search events should be forwarded to Phantom automatically on its own when using the Event Forwarding Exports in the Phantom App for Splunk. Are you setting the Schedule value appropriately? Are the permissions on the saved search configured as needed for the Phantom app to utilize it? Which version of Splunk Enterprise and the Phantom App for Splunk are you running? The Phantom app writes useful logs to splunk_home/var/log/splunk/phantom_configuration.log and splunk_home/var/log/splunk/phantom_forwarding.log ... View more

The Phantom App for Phantom includes an action called 'deflate item' which can be used to extract the contents of a .zip file into the Vault of the same Container the .zip was ingested into, this can be automated upon ingest using a Playbook: https://my.phantom.us/4.6/docs/app_reference/phantom_phantom#deflate-item If you'd like to do more advanced operation, that's where you would want to look at using custom Python code - the 'zipfile' python library can be used to open or manipulate a .zip file as needed within a Playbook. ... View more

The External Splunk Search feature is used widely by Phantom customers in Production. Can you share any errors your receiving when you run "Test Connection" from the Admin Settings > Search Settings page in the Phantom UI? https://my.phantom.us/4.6/docs/admin/administration#SearchSettings ... View more

Areas to check: Automation user on the Phantom side used for the Splunk integration - check the "Allowed IPs" config, this needs to allow for the Splunk search head to communicate with the Phantom host to create new containers/artifacts via the Forwarding Config Make sure you're entering the entire 'ph-auth-token' value on the Phantom Server Configuration Check the $splunk_home/var/log/splunk/phantom_configuration.log file for more details Please post more information to aid in finding a fix. ... View more

This is a beta "wget App for Phantom" which can perform this action. Ask about it in the phantom-community.slack.com workspace. ... View more

Other available methods: phantom.get_action_results() https://my.phantom.us/4.5/docs/automation/api_data_access#get_action_results phantom.add_note() & phantom.get_notes() https://my.phantom.us/4.5/docs/automation/api_container#add_note https://my.phantom.us/4.5/docs/automation/api_container#get_notes HTTP App for Phantom - 'get data' action - '/rest/action_run' endpoint https://my.phantom.us/4.5/docs/app_reference/phantom_http#get-data https://my.phantom.us/4.5/docs/rest/query ... View more

This issue has been fixed in the most recent v4.5 GA Release. Please upgrade to resolve the problem. Here's the Upgrade KB including the steps needed for upgrading your Phantom instance: https://my.phantom.us/kb/5/ ... View more

The HTTP App for Phantom can be used to perform a POST request to the Splunk ES API to change the status of a Notable Event to any custom status you may have defined: https://my.phantom.us/4.5/docs/app_reference/phantom_http#post-data https://docs.splunk.com/Documentation/ES/5.3.0/API/NotableEventAPIreference You will want to use the ID value of the custom status defined in revewstatuses.conf: "A status ID matching a status in reviewstatuses.conf. Only required if you are changing the status of the event." ... View more

Using the Phantom App for Splunk would be recommended for performing field mappings in that way: https://splunkbase.splunk.com/app/3411/ You can utilize either a Saved Search or Data Model to have events from Splunk Core/ES which meet the defined criteria in your SPL forwarded to the Phantom instance of your choice: ... View more

DHCP can optionally be used for a lab/dev Phantom instance. Are you defining the network adapter settings for the VM in ESXI/VM Workstation/Virtual Box? Are you having trouble reaching the Phantom Web UI? You'll also want to set the needed configuration in the "Configure Network" page within the menu that is displayed when booting up the OVA. https://my.phantom.us/4.5/docs/installation/virtual#AssignVAIP ... View more

Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field. example: notable search_name = “name of notable” | table orig_time, orig_source, src, dest Event (Saved Search) Forwarding On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows: ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving. ... View more

https://answers.splunk.com/answers/708750/phantom-double-parameters-when-send-email.html#answer-769458 ... View more

Example cron entry: Run the purge script every day at 2:15am 15 2 * * * phenv python2.7 /opt/phantom/bin/Purge_Containers.py ... View more