Get started with the Splunk Phantom integration

The EclecticIQ app for Splunk Phantom is a native application that installs directly on your Splunk Phantom instance.

Below is a short guide for getting started with the EclecticIQ app for Splunk Phantom.

For more detailed instructions, go to Splunk Phantom documentation on configuring apps and assets.

For more information about the EclecticIQ app, go to the Splunk Phantom app reference.

Requirements

  • EclecticIQ Platform 2.x or later.

  • EclecticIQ app for Splunk Phantom installed on your Splunk Phantom instance.

  • Network access between EclecticIQ Platform and your Splunk Phantom instance.

Download the app

  1. Go to my.phantom.us and sign in with your Splunk Phantom account.

  2. In the top navigation bar, click Apps > For Phantom.

  3. Search for EclecticIQ app.

    The results should display the EclecticIQ app for Splunk Phantom.

  4. Click on the Download button on the right of the entry for EclecticIQ app.images/download/attachments/86441519/myphantom-searchresults-eiqapp.jpg

(Optional) Create a new source group

Create a new dedicated source group to manage data sent to and received from the EclecticIQ app.

When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the EclecticIQ app.

Set up Outgoing feed on EclecticIQ Platform

In order to allow your Splunk Phantom instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:

  1. In the left navigation bar, click Data Configuration images/download/attachments/86441519/robot.svg-x24.png > Outgoing feeds > +.

  2. Set the following fields in your new outgoing feed:

    Field name

    Description

    Feed name*

    Enter a descriptive name for the outgoing feed.

    Example: Outgoing feed for <vendor system>

    Transport type*

    Set this to HTTP download.

    Content type*

    Set this to EclecticIQ JSON.

    Feed content

    • Datasets*: Select one or more datasets to include in this outgoing feed.

    • Update strategy*: Select an update strategy.

      The EclecticIQ app supports these update strategies:

      • APPEND: Select this option to only pack data that is new. This means only data added to included datasets since the last time the feed was run is packed and made available through the HTTP download endpoints.

      • REPLACE: Select this option to always re-generate the contents of the entire feed each time it runs.

        Use this when you need to make sure that items removed from the dataset(s) included in the feed are also removed from data made available through the HTTP download endpoints.

        Not recommended for feeds with large datasets, or feeds with frequent execution schedules.

    Transport configuration

    • Public: Select this to make this feed publicly available.

    • Authorized groups: If Public is not selected, select one or more groups to make this feed available to.

      If you created a source group earlier, add that here.

    Execution schedule

    Set to None by default.

    For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.

  3. Save and run the outgoing feed.

Get the feed ID

We need the ID of the outgoing feed that you’ve just created.

To get the feed ID:

  1. In the left navigation bar, click Data Configuration images/download/attachments/86441519/robot.svg-x24.png > Outgoing feeds.

  2. In the Outgoing feeds overview, click on the outgoing feed you’ve just created.

  3. In the panel that appears, click on the Created packages tab.

  4. Locate and note the feed ID shown in this tab.

    The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:

    You can download the latest package from:
    https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest

    the feed ID is 8.

Install EclecticIQ app for Splunk Phantom

  1. Sign in to your Splunk Phantom instance.

  2. In the top navigation bar, click on the drop-down menu that says Home, and select Apps.images/download/attachments/86441519/phantom-topnav-apps.jpg

  3. Click INSTALL APP at the top right.images/download/attachments/86441519/phantom-install-app.jpg

  4. Follow the on-screen instructions to upload the .tgz package for the EclecticIQ app downloaded in Download the app.

  5. Click INSTALL.

Configure the app

Splunk Phantom provides extensive documentation on configuring apps and assets.

More information about the EclecticIQ app can also be found in the app reference.

  1. In the Apps view on Splunk Phantom, click the Unconfigured Apps tab.

  2. Search for EclecticIQ app.

    The EclecticIQ app should appear as a result.

  3. Click CONFIGURE NEW ASSET on the right of the entry for EclecticIQ app.

    This creates a new configuration for the EclecticIQ app.

The following sections go over the configuration required for the EclecticIQ app to work.

Once you’re done configuring the asset, click SAVE.

For more information about other configuration options, see the Splunk Phantom documentation on apps and assets, or see the app reference.

Asset Info

Field name

Example

Description

Asset name

EclecticIQ App for Splunk Phantom

Enter a descriptive name for your asset configuration.

Asset description

Optional description for asset.

Enter a description for your asset.

Product vendor

EclecticIQ

Set to EclecticIQ by default.

Product name

TIP

Set to TIP by default.

Tags

sample

(Optional) Select one or more tags to this asset.

For more information, see Splunk Phantom documentation.

Asset Settings

Field name

Example

Description

EclecticIQ Platform Address

https://tip.example.com

URL of your EclecticIQ Platform instance.

EclecticIQ Username

user

User name of account that has read and write access to the source group created in Create a new source group

EclecticIQ Password/Token

password

Password for account.

EclecticIQ Group Name for Entities

Testing Group

The name of the source group to retrieve entities from or send entities to.

If you created a new source group, enter its name here.

Source group names are case-sensitive.

EclecticIQ Outgoing Feed ID # for Polling

7

Enter the feed ID from Get the feed ID.

Optional. Only needed for actions to retrieve data from the EclecticIQ Platform. Not required for setting up the EclecticIQ app to only send entities to the EclecticIQ Platform.

EclecticIQ SSL Cert Check


Not selected by default.

Select to require Splunk Phantom to verify the cert provided by the EclecticIQ Platform at the given URL.