Skip to main content

Cyware Orchestrate

Splunk Phantom

App Vendor: Splunk

App Category: Analytics & SIEM

Connector version: 1.0.0

API Version: 1.0.0

About App

Splunk Phantom is a security orchestration, automation, and response (SOAR) system. The Splunk Phantom app enables security teams to integrate with the Splunk Phantom enterprise application to search and get the details of indicators and artifacts thereby, enabling analysts to analyze the data.

The Splunk Phantom app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Run Query Search

This action runs search queries using query string and query parameters in the Splunk Phantom application.

Get List of Indicators

This action retrieves a list of indicators using query parameters from the Splunk Phantom application.

Get Details of Indicator

This action retrieves the details of an indicator using indicator value, id, and query parameters from the Splunk Phantom application.

Get Details of Indicator Artifact

This action retrieves the details of an indicator artifact using indicator id, value, and query parameters from the Splunk Phantom application.

Configuration Parameters

The following configuration parameters are required for the Splunk Phantom app to communicate with the Splunk Phantom enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Cloud Domain

Enter the phantom server FQDN.

Example:

"https://phantom-host.domain.tld:443"

Text

Required

Auth Token

Enter the phantom server authentication token.

Example:

"sample auth token"

Password

Required

Access type: automation

Verify

Optional preference to either verify or skip the SSL certificate verification.

Example:

"True"

Boolean

Optional

Allowed values:

  • True

  • False

Default value: “False”

Action: Run Query Search

This action runs search queries using query string and query parameters in the Splunk Phantom application to retrieve a list of key names and data.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query String

Enter the query string.

Example:

"sample query string"

Text

Required

Query params

Enter the query parameters in key-value pairs.

Example:

{ "page": "1", "page_size": "2", "categories": [ "artifact" ] }

Key Value

Optional

Allowed values:

  • categories (List of comma-separated category names):

    • app

    • docs

    • container

    • artifact

    • asset

    • action

    • playbook

  • page_size

  • page

  • tenant

Example Request 

[
    {
        "extra_params": {
            "page": "1",
            "page_size": "2",
            "categories": [
                "artifact"
            ]
        },
        "query_string": "sample query string"
    }
]
Action: Get List of Indicators

This action retrieves a list of indicators using query parameters from the Splunk Phantom application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query Params

Enter the query parameters in key-value pairs.

Example:

{ "page": "1", "page_size": "2" }

Key Value

Optional

Allowed values:

  • _special_contains(bool)

  • _special_fields(bool)

  • _special_labels(bool)

  • sort

    • _pretty_earliest_time

    • _pretty_latest_time

    • severity

    • id

    • value

  • page_size(int)

  • page(int)

  • order(str)

    • desc

    • asc

  • filter(str)

Example Request 

[
    {
        "extra_params": {
            "page": "1",
            "page_size": "2"
        }
    }
]
Action: Get Details of Indicator

This action retrieves the details of an indicator using indicator value, ID, and query parameters from the Splunk Phantom application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator ID

Enter the indicator ID.

Example:

10

Integer

Optional

Enter either the indicator ID or the indicator value.

You can retrieve the Indicator ID using the Get List of Indicators action.

Indicator Value

Enter the indicator value.

Example:

"sample indicator value"

Text

Optional

Enter either the indicator ID or the indicator value.

You can retrieve the Indicator Value using the Get List of Indicators action.

Query Params

Enter the query parameters in key-value pairs.

Example:

{"_special_contains": "True" }

Key Value

Optional

Allowed values:

  • _special_contains(bool)

  • _special_fields(bool)

  • _special_labels(bool)

Example Request 

[
    {
        "extra_params": {
                    "_special_contains": "True"
                },
        "indicator_id": 10,
        "indicator_value": null
    }
]
Action: Get Details of Indicator Artifact

This action retrieves the details of an indicator artifact using indicator ID, value, and query parameters from the Splunk Phantom application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator ID

Enter the indicator ID.

Example:

10

Integer

Optional

Enter either the indicator ID or the indicator value.

You can retrieve the Indicator ID using the Get List of Indicators action.

Indicator Value

Enter the indicator value.Example:"sample indicator value"

Text

Optional

Enter either the indicator ID or the indicator value.

You can retrieve the Indicator Value using the Get List of Indicators action.

Query Params

Enter the query parameters in key-value pairs.

Example:

{ "page": "1", "page_size": "2" }

Key Value

Optional

Allowed values:

  • _special_contains(bool)

  • _special_fields(bool)

  • _special_labels(bool)

  • sort(str):

    • pretty_earliest_time

    • _pretty_latest_time

    • severity

    • id

    • value

  • page_size(int)

  • page(int)

  • order(str):

    • desc

    • asc

  • filter(str)

Example Request 

[
    {
        "extra_params": {
            "page": "1",
            "page_size": "2"
        },
        "indicator_id": 10,
        "indicator_value": null
    }
]