Splunk Phantom Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 2.1.0 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Splunk Phantom Operation allows a ThreatQ user to create containers and run playbooks in Phantom.
The operation provides the following actions:
- Create Container - creates a container based on an event.
- Run Playbook - runs a playbook from a container.
- Get Playbook Results - fetches playbook results.
The operation is compatible with Event system objects.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Hostname Your Splunk Phantom instance hostname. Authentication Token Your Splunk Phantom authentication token. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Create Container | Creates a container based on an event. | Events | N/A |
| Run Playbook | Runs a playbook from a container. | Events | N/A |
| Get Playbook Results | Fetches playbook results. | Events | N/A |
Create Container
The Create Container action creates a container based on an event.
POST https://<hostname>/rest/container
Action Parameters
The action has the following configuration parameters:
| Parameter | Description |
|---|---|
| Container Label | For example, events, generator, sample. All possible labels can be found in the Phantom UI. |
| Sensitivity | Container sensitivity. |
| Severity | Container severity. |
| Status | Container status. |
| Kill Chain | Cyber kill chain. |
| Artifact Label | The label to assign the artifacts. |
| IP Address CEF Field | The field to use for IP addresses. |
| FQDN CEF Field | The field to use for FQDNs. |
| File Hash CEF Field | The field to use for File Hashes. |
| Filename CEF Field | The field to use for Filenames. |
| File Path CEF Field | The field to use for File Paths. |
| Username CEF Field | The field to use for Usernames. |
Run Playbook
The Run Playbook action runs a playbook from a container.
POST https://<hostname>/rest/playbook_run
Action Parameter
The action has the following configuration parameter:
| Parameter | Description |
|---|---|
| Playbook Name | The name of the playbook to run. |
Get Playbook Results
The Get Playbook Results fetches playbook results.
GET https://<hostname>/rest/playbook_run
Change Log
- Version 2.1.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Splunk Phantom Operation Guide v2.1.0 | 4.34.0 or Greater |