Skip to main content

Splunk Training + Certification

Advanced SOAR Implementation

Course Description

This 13.5-hour virtual course is intended for experienced SOAR consultants who will be responsible for complex SOAR solution development, and will prepare the attendee to integrate SOAR with Splunk as well as develop playbooks requiring custom coding and REST API usage.

This course was previously available as Advanced Phantom Implementation.

Instructor-led Training Schedule

Course Prerequisites

Skills and Classes:
  • Experience with Python programming
  • Administering Splunk Phantom
  • Developing Splunk Phantom Playbooks
  • Investigating Splunk Incidents with SOAR
  • Splunk Enterprise Data Administration, Splunk Enterprise System Administration, and Administering Splunk Enterprise Security OR equivalent Splunk Enterprise and Splunk Enterprise Security experience

Course Topics

  • Using external Splunk search in Phantom
  • Sending events from Splunk to Phantom
  • Updating Splunk events from Phantom
  • Running Phantom reports on Splunk
  • Executing Phantom playbooks from Splunk
  • Searching Splunk from Phantom playbooks
  • Writing custom code in Phantom Playbooks
  • Using the Phantom REST API in Phantom Playbooks

Course Objectives

Module 1 – Implementing Splunk and Phantom

  • Review of Phantom UI and concepts
  • Describe interactions between Splunk and Phantom
  • Identify key concepts and data flows
  • Pre-requisites for integration


Module 2 –Configuring External Splunk Search    

  • Describe the benefits of externalizing search to Splunk
  • Configure the Phantom instance for externalization
  • Configure the Splunk instance for externalization
  • Use the Splunk app for Phantom Reporting


Module 3 – Sending Splunk Events to Phantom    

  • Configure the Phantom Add-on for Splunk
  • Map CIM fields to CEF
  • Send Enterprise Security notables to Phantom
  • Automatically trigger Phantom playbooks for Splunk notables


Module 4 – Accessing Splunk from Phantom    

  • Install and configure the Phantom App for Splunk
  • Ingest Splunk events into Phantom
  • Use Splunk search from playbooks
  • Update Splunk notable events


Module 5 – Custom Coding in Playbooks

  • Phantom coding best practices
  • Use custom function blocks
  • Using the Phantom API in custom code
  • Store and retrieve persistent data


Module 6 – Using Phantom REST    

  • Use Django queries to search for data in Phantom
  • Use REST from other systems to access Phantom data
  • Use the HTTP app to execute REST from playbooks