Splunk Phantom Integration

A Recorded Future app for Splunk Phantom is currently available. Contact Glenn Wong for information beyond this article. 

About Splunk Phantom

Splunk Phantom is a security automation and orchestration product. The purpose of the integration is to make threat intelligence data from Recorded Future available to playbooks in Splunk Phantom.


The integration is packaged as Splunk Phantom app, and delivered as a tarball file. It is available through the Phantom App store.

The integration was built and tested using Splunk Phantom v2.0. It is expected to be backward compatible to Phantom v1.

To use this app, you will need API access to Recorded Future.

Install and Configure the Integration

After you have received the app tarball (tgz file) and an API token from Recorded Future, install and configure the app as follows:

  1. Place the app tarball in a locally accessible folder, like Downloads
  2. Log in to Phantom Cyber as an administrator
  3. Navigate to Administration > Apps
  4. Click the + APP button
  5. Locate the tarball file and click Install
  6. Navigate to Administration > Assets
  7. Click the + ASSET button
  8. Name the new asset Recorded Future API or similar.
  9. Select Recorded Future as the vendor and as the Product.
  10. Navigate to the Asset Settings tab
  11. Enter your Recorded Future API Token
  12. Save the Asset
  13. Run the connectivity test

Install and configuration is complete. Your asset should look like this:

A successful connectivity test looks like this:

Documentation is packaged with the app. To find this documentation, navigate to Administration > Apps and click on the Recorded Future app.  

Supported Actions

The app currently supports these actions:

  • enrich vulnerability - Execute vulnerability enrichment on the given vulnerability
  • enrich hash - Execute hash enrichment on the given hash
  • enrich ip - Execute ip address enrichment on the given ip address
  • enrich domain - Execute domain enrichment on the given domain
  • test connectivity - Validate the asset configuration for connectivity

Each action corresponds to an Intelligence Card in Recorded Future. The action retrieves the current threat intelligence information for the input value, and returns that information to Splunk Phantom. The detailed threat data is returned as a JSON dictionary, and selected data values are highlighted in the Phantom action results table.

Here is an example of enrichment output for an IP Address.

Was this article helpful?
2 out of 2 found this helpful

This content is confidential. Downloading or distributing this content is in violation of your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Have more questions? Submit a request



Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.