Splunk SOAR (f.k.a. Phantom)

Example of how to investigate and remediate phishing emails with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk Phantom to investigate and remediate phishing emails?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Undetected phishing emails can be devastating to an organization, and investigating them can be time consuming. Use the Splunk Phantom Phishing Investigate and Respond playbook to automate email investigations that analyze the email body, its attachments, and users who received the email so you can respond quickly to phishing attacks.

Load data

How to implement: To run the Splunk Phantom Phishing Investigate and Respond playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests email server events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Phishing Investigate and Respond playbook examines the artifacts from an ingested email and performs various reputation checks against the data. It triggers additional decisions if it needs further information, and can detonate an attachment in a sandbox if there is no information returned from a file reputation lookup. This playbook prompts you with the output from the reputation lookups so you can decide whether or not the email should be deleted.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for phishing_investigate_and_respond.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Undetected phishing emails can be devastating to an organization, and investigating them can be time consuming. Use the Splunk Phantom Phishing Investigate and Respond playbook to automate email investigations that analyze the email body, its attachments, and users who received the email so you can respond quickly to phishing attacks.

Load data

How to implement: To run the Splunk Phantom Phishing Investigate and Respond playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests email server events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Phishing Investigate and Respond playbook examines the artifacts from an ingested email and performs various reputation checks against the data. It triggers additional decisions if it needs further information, and can detonate an attachment in a sandbox if there is no information returned from a file reputation lookup. This playbook prompts you with the output from the reputation lookups so you can decide whether or not the email should be deleted.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for phishing_investigate_and_respond.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...