Get started with the Splunk Phantom integration#
Caution
This app is no longer supported. Instead, use Splunk SOAR App for EclecticIQ Intelligence Center (Documentation)
The EclecticIQ app for Splunk Phantom is a native application that installs directly on your Splunk Phantom instance.
Below is a short guide for getting started with the EclecticIQ app for Splunk Phantom.
For more detailed instructions, go to Splunk Phantom documentation on configuring apps and assets.
For more information about the EclecticIQ app, go to the Splunk Phantom app reference.
Requirements#
EclecticIQ Platform 2.x or later.
EclecticIQ app for Splunk Phantom installed on your Splunk Phantom instance.
Network access between EclecticIQ Platform and your Splunk Phantom instance.
Download the app#
Go to my.phantom.us and sign in with your Splunk Phantom account.
In the top navigation bar, click Apps > For Phantom.
Search for EclecticIQ app.
The results should display the EclecticIQ app for Splunk Phantom.
Click on the Download button on the right of the entry for EclecticIQ app.
(Optional) Create a new source group#
Create a new dedicated source group to manage data sent to and received from the EclecticIQ app.
When adding Allowed sources to the group, make sure to add Sources that contain data that you want to send to the EclecticIQ app.
Set up Outgoing feed on EclecticIQ Platform#
In order to allow your Splunk Phantom instance to use intelligence from EclecticIQ Platform to detect threats, set up an outgoing feed on your platform instance:
In the left navigation bar, click Data Configuration > Outgoing feeds > +.
Set the following fields in your new outgoing feed:
Field name
Description
Feed name*
Enter a descriptive name for the outgoing feed.
Example: Outgoing feed for <vendor system>
Transport type*
Set this to HTTP download.
Content type*
Set this to EclecticIQ JSON.
Feed content
Datasets*: Select one or more datasets to include in this outgoing feed.
Update strategy*: Select an update strategy.
The EclecticIQ app supports these update strategies:
APPEND: Select this option to only pack data that is new. This means only data added to included datasets since the last time the feed was run is packed and made available through the HTTP download endpoints.
REPLACE: Select this option to always re-generate the contents of the entire feed each time it runs.
Use this when you need to make sure that items removed from the dataset(s) included in the feed are also removed from data made available through the HTTP download endpoints.
Caution
Not recommended for feeds with large datasets, or feeds with frequent execution schedules.
Transport configuration
Public: Select this to make this feed publicly available.
Authorized groups: If Public is not selected, select one or more groups to make this feed available to.
If you created a source group earlier, add that here.
Execution schedule
Set to None by default.
Tip
For more information on configuring HTTP download outgoing feeds, see Outgoing feed - HTTP download feed.
Save and run the outgoing feed.
Get the feed ID#
We need the ID of the outgoing feed that you’ve just created.
To get the feed ID:
In the left navigation bar, click Data Configuration > Outgoing feeds.
In the Outgoing feeds overview, click on the outgoing feed you’ve just created.
In the panel that appears, click on the Created packages tab.
Locate and note the feed ID shown in this tab.
The feed ID is displayed as part of the outgoing feed URLs shown. For example, in:
You can download the latest package from: https://tip.example.com/private/open-outgoing-feed-download/8/runs/f32b18ed-3292-4eb7-9359-afa97a2783f3/content-blocks/latest
the feed ID is 8.
Install EclecticIQ app for Splunk Phantom#
Sign in to your Splunk Phantom instance.
In the top navigation bar, click on the drop-down menu that says Home, and select Apps.
Click INSTALL APP at the top right.
Follow the on-screen instructions to upload the
.tgz
package for the EclecticIQ app downloaded in Download the app.Click INSTALL.
Configure the app#
Tip
Splunk Phantom provides extensive documentation on configuring apps and assets.
More information about the EclecticIQ app can also be found in the app reference.
In the Apps view on Splunk Phantom, click the Unconfigured Apps tab.
Search for EclecticIQ app.
The EclecticIQ app should appear as a result.
Click CONFIGURE NEW ASSET on the right of the entry for EclecticIQ app.
This creates a new configuration for the EclecticIQ app.
The following sections go over the configuration required for the EclecticIQ app to work.
Once you’re done configuring the asset, click SAVE.
For more information about other configuration options, see the Splunk Phantom documentation on apps and assets, or see the app reference.
Asset Info#
Field name |
Example |
Description |
---|---|---|
Asset name |
EclecticIQ App for Splunk Phantom |
Enter a descriptive name for your asset configuration. |
Asset description |
Optional description for asset. |
Enter a description for your asset. |
Product vendor |
EclecticIQ |
Set to EclecticIQ by default. |
Product name |
TIP |
Set to TIP by default. |
Tags |
sample |
(Optional) Select one or more tags to this asset. For more information, see Splunk Phantom documentation. |
Asset Settings#
Field name |
Example |
Description |
---|---|---|
EclecticIQ Platform Address |
https://tip.example.com |
URL of your EclecticIQ Platform instance. |
EclecticIQ Username |
user |
User name of account that has read and write access to the source group created in Create a new source group |
EclecticIQ Password/Token |
password |
Password for account. |
EclecticIQ Group Name for Entities |
Testing Group |
The name of the source group to retrieve entities from or send entities to. If you created a new source group, enter its name here. Source group names are case-sensitive. |
EclecticIQ Outgoing Feed ID # for Polling |
7 |
Enter the feed ID from Get the feed ID. Optional. Only needed for actions to retrieve data from the EclecticIQ Platform. Not required for setting up the EclecticIQ app to only send entities to the EclecticIQ Platform. |
EclecticIQ SSL Cert Check |
Not selected by default. Select to require Splunk Phantom to verify the cert provided by the EclecticIQ Platform at the given URL. |