Phantom Reporting (Splunk App for Phantom Reporting) Splunk App for Phantom Reporting (sends HEC data for reporting from Phantom → Splunk on TCP 443) Įach app needs to be installed in the following manner: App Name.Phantom Remote Search (API requests from Phantom → Splunk on TCP 8089).Splunk Add-on for Phantom (sends logs from Phantom → Splunk on TCP 9997).Phantom App for Splunk (sends alerts from Splunk → Phantom on TCP 443).The following four apps should be installed: If your organization does not have ES (Enterprise Security), these can be installed on the main Cloud Search Head. Make sure to specify that you need the Phantom TA and Phantom Remote Search installed on the Cloud Indexers as well as on the ES Search Head. Splunk Support will be required to complete installing most of the TA’s. To proceed with the integration, install the relevant Splunk Apps and Add-Ons (also known as Technical Addons or TA’s). This can be completed with a Splunk Support request. In order to enable it, the SSL cert for Splunk’s management port (8089) must be replaced on the Cloud Search Heads with one that is signed by a Public CA that the Phantom Server can verify. Each integration requires one or more Splunk apps as well as ports to be opened between Splunk Cloud and Phantom on-prem.īefore we proceed, it should be noted that Phantom should exist in the DMZ, as it needs to allow TCP 443 traffic in from Splunk Cloud, specifically to receive events from Splunk Cloud, for integration #2 – sending events from Splunk Cloud to Phantom.Īnother best practice that is often missed is enabling SSL for Remote Search, which fails without taking the proper steps with Splunk Support. Some organizations may not want or need all four of these integrations, though to get the most out of the products, it is highly recommended. Remote Search – Query Splunk from Phantom Playbooks. ![]() ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |