Skip to main content

Cyware Threat Intelligence eXchange

Splunk Phantom

Splunk Phantom is a Security Orchestration, Automation, and Response (SOAR) platform. The Splunk Phantom platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

Using this integration, security analysts can trigger playbooks in the Splunk Phantom application from the CTIX application. This integration enables your security operations teams to trigger playbooks defined on the Splunk Phantom that can create multi-step workflows for incident management of your resources.

The Splunk Phantom internal application in Intel Exchange supports the following actions:

  • Trigger Playbook V3

Configure Splunk Phantom in CTIX

Splunk Phantom is available as an out-of-the-box integration in the CTIX application. To configure it as an internal application, do the following:

  1. Configure the Splunk Phantom app in the CTIX application 

  2. Enable Trigger Playbook action for this integration 

  3. Create a rule in CTIX to trigger Playbooks in Splunk Phantom 

Configure Splunk Phantom App in CTIX

Before you Start 

You must have the base URL and Access ID of your Splunk Phantom account to configure the app in CTIX. The user configuring the integration should have View & Update Tool Integration permission.

Steps 

Use the following steps to configure the app in the CTIX application:

  1. Sign in to the CTIX application.

  2. From Administration, open Integration Management and select Internal Applications under Tool Integrations.

  3. Select Security Orchestration Automation Response.

  4. Search Splunk Phantom and click on the app.

  5. Click Add Instance.

  6. Enter the Instance name, Base URL, and Access ID.

  7. To encrypt the connection between CTIX and Splunk Phantom, select Verify SSL.

  8. Click Save.

Enable Trigger Playbooks

After configuring the Splunk Phantom application on CTIX, enable the action to trigger playbooks.

  1. From Administration, open Integration Management and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Select Splunk Phantom.

  4. Click the ellipsis on the top right corner and click Manage.

  5. Click Manage Action(s) and select an action.

  6. Enable the toggle to trigger the playbooks.

  7. Click Save.

Create a Rule in CTIX to Trigger the Playbooks

Create a rule in the CTIX application to trigger the playbooks in Splunk Phantom.

  1. From the Main Menu, select Rules under Actions.

  2. Click New Rule.

  3. Enter a rule name and a description.

  4. To easily identify and categorize components in the CTIX application, select Tags.

  5. Click Submit.

  6. Set the following optional Basic Details for a rule:

    • Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.

    • Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.

    • Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.

    • Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected and no false positives are included. This option ignores any conditions configured in the rule to remove false positive threat data objects.

    • Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.

  7. Select the sources and collections, and conditions for the rule.

  8. In Actions, choose the following

    1. Actions: Trigger Playbook

    2. Application: Splunk Phantom

    3. Account: Choose a Splunk Phantom account.

    4. Events: Choose the events to identify the playbooks from Splunk Phantom to trigger.

    5. Threat Data Objects: Choose the threat data objects for which you want to trigger the playbook.

  9. Click Save.