Phantom App for Splunk
Overview
Details
Phantom is a security automation and orchestration platform that integrates with your existing security technologies in order to provide a layer of “connective tissue” between them.
Phantom streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of point products that you use every day.
Phantom doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger.
Phantom accomplishes this through a logical architecture that abstracts product capabilities, through the Phantom App model, into simple Actions that can be automated from within Playbooks. This allows Phantom to act as an "operating system" for your security products.
To learn more about installation, configuration, and using the Phantom App for Splunk read the documentation:
https://docs.splunk.com/Documentation/PhantomApp
Additional technical documentation also available at the Phantom community portal:
https://my.phantom.us/4.5/docs/admin/splunk
If you do not yet have a phantom community account, signup at:
https://my.phantom.us/signup/
Release Notes
Version 4.1.73
=========================
Version 4.1.73 Release Notes
=========================
- Event forwarding configurations have been converted to save as search alerts instead of reports
- Performance improvement for container and artifact creation in Splunk Phantom and Splunk SOAR
- Custom advanced time parameters “Earliest Time” and “Latest Time” added to saved search event forwarding configuration
- Performance improvements for workbooks tab
- Added bulk workbook management
- Added app.manifest to app folder
- Alert actions and adaptive response actions now use cim_modactions index instead of phantom_modalert index
- Upgraded urllib3 to version 1.26.6 and requests library to 2.25.1
Version 4.1.3
============================
Version 4.1.3 Release notes
============================
- This release of the Splunk Phantom App for Splunk connects both Splunk Phantom and Splunk SOAR to your Splunk platform
- Bug fix where Event Forwarding Save and Preview hangs with 0 results
- Splunk Enterprise Security is no longer needed unless performing adaptive response actions or AR Relay
- Splunk events not created in Splunk SOAR and Splunk Phantom are stored in KV Store and attempt to re-send every 60 seconds until successful
- Synchronize workbooks across multiple Splunk SOAR and Splunk Phantom instances
- Alert Action Configurations tab moved to Configurations tab and no longer uses jQuery
- Limit read access to users with phantom role
Version 4.0.35
==========================
Version 4.0.35 Release notes
==========================
- Splunk 8.1 compatibility
- Bug fix where field in _raw data is not displayed in the container's artifact
- Bug fix where some searches with tstats were not working correctly
- Bug fix where Phantom App for Splunk shared libraries with other Splunkbase apps
- Bug fix to remove "Auto Generated" option for data model forwarding configurations
- Limit CEF field keys to Phantom accepted values of numbers, characters, and underscores only
- Remove automatic update check for newer versions of the app
Version 4.0.10
============================
Version 4.0.10 Release notes
============================
- Python 2 and 3 compatibility
- Multivalue option for adaptive response artifacts
- Use adaptive response relay to forward events to Splunk Phantom
- Bug fix where Adaptive Response action resulting container link is incorrect
- Bug fix missing Container Name custom field
Version 3.0.5
Version 3.0.5 Release notes:
- Bug fix auto mapping cannot be turned off
- Bug fix adaptive response action creating duplicate artifacts
- Global mapping page to save custom mappings, which can be automatically applied to forwarding configurations
- Updated UI for Event Forwarding page
Version 2.7.5
Be sure to read the README and follow instructions for upgrading from version 2.5.23 to 2.7.5.
Version 2.7.5 Release notes:
- Added server.conf to set phantom.conf replication to true
- Update storage/passwords and saved searches endpoints to support search head clustering
- Added logic to check default folder if cert_bundle.pem is not found in local folder
- Added ability to specify artifact label in forwarding configurations
- Added ability to create, delete, and edit server configurations with offline servers listed
- Updated requests library to version 2.21.0
- Updated fields sent from notable to Phantom
- Bug fix sendalert returning error code 1 on success
- Cosmetic and logging improvements
Version 2.6.22
Be sure to read the README and follow instructions for upgrading from version 2.5.23 to 2.6.22.
Version 2.6.22 Release notes:
- Added dropdown for selecting servers and playbooks in Run Playbook in Phantom ES Adaptive Response action
- Added ability to optionally specify Phantom label for ES Adaptive Response actions
- Improved logging functionality and ES Adaptive Response results
- Improved Server Configuration UI for adding and updating configurations. Added 'default' server, test connectivity, and sync playbooks features
- Forwarding configuration destinations now update when corresponding server configurations are changed
- Added Phantom authorization token obfuscation
- Added Phantom logo to Splunk Apps dropdown menu
- Added alert actions support for custom CEF fields to be displayed in Phantom containers
- Added requests library to app
- Bug fix artifacts receiving incorrect forwarding configuration export labels
- Bug fix parsing issues on Splunk for Windows
Version 2.5.23
This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.
Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/
Version 2.5.23 Release notes
- Added Federal Information Processing Standard (FIPS) support
- Added support for automatically extracting Fields on the saved search export (no wildcard support)
- Added support for auto-populating cef fields when custom cim field is added
- Changed timing model to use index time instead of _time for newly created data model export
- Bug fixes on Internet Explorer, preview window settings, Adaptive Response Action window
- See README.txt for further details on IE 11, FIPS and custom latency usage
Version 2.5.2
This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.
Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/
===========================
Version 2.5.2 Release notes
===========================
- Support for Splunk 7.1
- Updated copyright information
- Performance improvement on Export configuration with a large number of field mappings
- Bug fix on search field resetting when saved search or data model export is changed
- Bug fix on Export configuration losing updates when the mouse is clicked on outside the configuration window
- Bug fix on selection of invalid value for Scheduled time units
- Bug fix on destinationTranslatedAddress and bytesIn field mappings
- Bug fix on container label when upgrading from 2.2.x version
Version 2.4.18
All user documentation can be found in the Phantom platform in Documentation, Administration Manual, Data Sources, Splunk.
You may also visit https://my.phantom.us/docs/admin/splunk with your Phantom account.
Contact support@phantom.us for any support or installation issues. The only system requirement is a functional installation of the Phantom platform.
This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.
Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/
==================
Installation Notes
==================
===========================
Version 2.4.18 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.17
===========================
Version 2.4.17 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.16
Important notes for the previous versions are included in the README.txt in the package.
===========================
Version 2.4.16 Release notes
===========================
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server
Version 2.4.15
Version 2.3.12
Important notes for this version are included in the README.txt in the package.
Highlights of this release:
Remove SSL Verification checkbox, add the ability to enable/disable SSL Verification via REST (see README.txt in the package). Note this is prohibited on Splunk Cloud.
Make dropdown fields in the configuration easier to use by sorting and filtering.
Add "save" next to "save and preview"
Include URL to Splunk Results - "_originating_search" now appears in the artifact CEF for adaptive response actions.
Add clone button for event forwarding configuration
Added free-form entry of destination labels
Added the ability to execute a playbook from Alert Actions
Resolve a javascript security issue noted by Splunk security review.
* Resolve error messages in logs, improved error handling
Version 2.2.17
- Update for Splunk Cloud certification
- Force SSL Verify always enabled, Customer can not choose to disable SSL Verification
- No other functional changes since 2.2.9