Advanced Phantom Implementation (API) – Outline

Detailed Course Outline

Module 1 – Implementing Splunk and Phantom

  • Review of Phantom UI and concepts
  • Describe interactions between Splunk and Phantom
  • Identify key concepts and data flows
  • Pre-requisites for integration

Module 2 – Configuring External Splunk Search

  • Describe the benefits of externalizing search to Splunk
  • Configure the Phantom instance for externalization
  • Configure the Splunk instance for externalization
  • Use the Splunk app for Phantom Reporting

Module 3 – Sending Splunk Events to Phantom

  • Configure the Phantom Add-on for Splunk
  • Map CIM fields to CEF
  • Send Enterprise Security notables to Phantom
  • Automatically trigger Phantom playbooks for Splunk notables

Module 4 – Accessing Splunk from Phantom

  • Install and configure the Phantom App for Splunk
  • Ingest Splunk events into Phantom
  • Use Splunk search from playbooks
  • Update Splunk notable events

Module 5 – Custom Coding in Playbooks

  • Phantom coding best practices
  • Use custom function blocks
  • Using the Phantom API in custom code
  • Store and retrieve persistent data

Module 6 – Using Phantom REST

  • Use Django queries to search for data in Phantom
  • Use REST from other systems to access Phantom data
  • Use the HTTP app to execute REST from playbooks