Splunk Phantom: Enrich Notable Events

Updated 5 months ago by TruSTAR

This script takes an Indicator from a Splunk ES Notable Event and enriches it with metadata and scoring summaries from TruSTAR. That enrichment is then appended to the Notable Event as a note. The script runs whenever a notable event from Splunk is forwarded to Phantom.

This script uses the TruSTAR REST API to create a playbook of actions that works with the Splunk Phantom environment.


  • Splunk Enterprise Security (ES)
  • Splunk Phantom Add-On. This Add-On requires SSL to work between Splunk ES and TruSTAR.
Sending enrichment back to the originating notable event in Splunk ES requires the notable event API in Splunk so, you will need to install the SplunkES integration in Phantom.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID(s)

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Phantom Add-On forwards a Splunk ES Notable Event to Phantom.
  2. Phantom extracts the Indicators from the Notable Event and forwards it to TruSTAR for enrichment.
  3. The script searches the specified TruSTAR Enclave(s) for correlated Intel Reports that match the Indicator. The script also fetches any other Indicators in the report, including the metadata and scoring summary information for each Indicator.
  4. Phantom appends the correlated Intel Reports and their Indicators from TruSTAR to a Notable Event in Splunk Phantom.


Q. Can this script handle notable events with more than one Indicator?

A, If you have created custom Splunk searches to produce notable events containing more than one Indicator, please contact TruSTAR support to discuss if the script can be modified to handle this situation.

Any issues or questions about this script, please contact support@notifications.trustar.co.

How Did We Do?