Hello @mripp , The "Send to Phantom" only works with with Enterprise Security currently. We have to use the script phantom_forward.py even though scripts are deprecated. $SPLUNK_HOME/etc/apps/phantom/bin/scripts/phantom_forward.py is the location of the script. You should be able to see it if you select the alert option for a script while in the Splunk Add-on for Phantom app. Our problem is currently with the phantom.conf replication causing Splunk SH Clustering issues when a real-time search is running. It replicates across the cluster so often that it causes baseline and snapshot replication problems. ... View more

After about a month of trying everything and anything I randomly read this splunk doc: https://docs.splunk.com/Documentation/Splunk/latest/Security/HowtoprepareyoursignedcertificatesforSplunk Replace latest with Splunk version being used and read about certificate chaining: [ server certificate] [ intermediate certificate] [ root certificate (if required) ] I went here: $SPLUNK_HOME/etc/apps/TA_windows-defender/bin/ta_windows_defender/requests/ It turns out that TA_windows_defender needed my root certificate appended to the cacerts.pem . I suggest backing your certs up, and then append with a command that works: cat org.pem >> cacaerts.pem If it looks correct restart splunk . I hope you had the same issue and it is fixed. Happy Splunking! ... View more