Advanced Phantom Implementation 4.9
Upcoming Classes
Online
Instructor-led online training
Location | Jan 2021 | Feb 2021 | Mar 2021 | Apr 2021 | May 2021 | Jun 2021 | Jul 2021 |
---|---|---|---|---|---|---|---|
APAC Singapore - Virtual |
Jan 20 – Jan 22 |
Mar 17 – Mar 19 |
Apr 21 – Apr 23 | ||||
AMER Eastern Time - Virtual |
Feb 10 – Feb 12 Feb 24 – Feb 26 |
Mar 24 – Mar 26 |
Apr 7 – Apr 9 | ||||
EMEA UK Time - Virtual |
Feb 24 – Feb 26 |
Apr 28 – Apr 30 | |||||
AMER Pacific Time - Virtual |
Mar 10 – Mar 12 |
Apr 21 – Apr 23 |
Summary
This 13.5 hour course is intended for experienced Phantom consultants who will be responsible for complex Phantom solution development, and will prepare the attendee to integrate Phantom with Splunk as well as develop playbooks requiring custom coding and REST API usage.
Potential attendees have received a passing grade in all prerequisite courses, and should ensure they can devote all of their attention to the class, as the course work is very challenging. Students will develop a custom solution with Phantom, Splunk and custom Python code. The labs provide requirements for the solution; the student must plan and execute the development. This will require thoughtful focus, experimentation and problem-solving skills.
Potential attendees have received a passing grade in all prerequisite courses, and should ensure they can devote all of their attention to the class, as the course work is very challenging. Students will develop a custom solution with Phantom, Splunk and custom Python code. The labs provide requirements for the solution; the student must plan and execute the development. This will require thoughtful focus, experimentation and problem-solving skills.
Description
- Using external search in Phantom
- Sending events from Splunk to Phantom
- Updating Splunk events from Phantom
- Running Phantom reports on Splunk
- Executing Phantom playbooks from Splunk
- Searching Splunk from Phantom playbooks
- Writing custom code in Phantom playbooks
- Using the Phantom REST API in Phantom playbooks
Objectives
Module 1 – Implementing Splunk and Phantom
- Review of Phantom UI and concepts
- Describe interactions between Splunk and Phantom
- Identify key concepts and data flows
- Pre-requisites for integration
Module 2 – Configuring External Splunk Search
- Describe the benefits of externalizing search to Splunk
- Configure the Phantom instance for externalization
- Configure the Splunk instance for externalization
- Use the Splunk app for Phantom Reporting
Module 3 – Sending Splunk Events to Phantom
- Configure the Phantom Add-on for Splunk
- Map CIM fields to CEF
- Send Enterprise Security notables to Phantom
- Automatically trigger Phantom playbooks for Splunk notables
Module 4 – Accessing Splunk from Phantom
- Install and configure the Phantom App for Splunk
- Ingest Splunk events into Phantom
- Use Splunk search from playbooks
- Update Splunk notable events
Module 5 – Custom Coding in Playbooks
- Phantom coding best practices
- Writing, using and managing custom functions
- Using the Phantom API in custom code
- Store and retrieve persistent data
Module 6 – Using Phantom REST
- Use Django queries to search for data in Phantom
- Use REST from other systems to access Phantom data
- Use the HTTP app to execute REST from playbooks
Prerequisites
Attendees for this class must ensure that they meet all course pre-requisites. This is a challenging, advanced class that draws on technical knowledge from many areas in Splunk and Phantom, and the demanding labs and course schedule leave little time to learn the basics.
Classes:
- Experience with Python programming
- Adminstering Splunk Phantom
- Developing Splunk Phantom Playbooks
- Enterprise Splunk Data Administration
- Enterprise Splunk System Administration
- Either Using or Administering Splunk Enterprise Security