IT & IoT Security | Cloud | It's all about the life itself

Nothing in life is as important as you think it is, while you are thinking about it.

Phantom app for Splunk configuration

I assume you have installed and have completed the initial configuration of phantom and have noted the access token.

Login to Splunk web UI. (Splunk Enterprise web ui is different from Phantom ui) . Go to Apps section and install Phantom App for Splunk(Phantom Add-on).

Hit the create server and follow the wizard. In the create server wizard , you have to paste the access token you got from initial phantom configuration. As you see in above image , HTTPS verification is enabled by default in the app. The proper way is using valid ssl certificates issued by well know certificate authorities. On lab environment you can disable HTTPS verification by editin conf file shown below (on splunk enterprise instance)

vi /opt/splunk/etc/apps/phantom/local/phantom.conf

value = 0

I cropped some part of the token and server for security measures. If you receive allowed IP error during the create server wizard, you should add allowed IP field the splunk enterprise IP as shown below.

The above menu can be access over phantom server`s web UI > administration > user management > automation account.

To conslude up, Phantom server is added to Splunk enterprise as shown below.