Splunk SOAR (f.k.a. Phantom)

Example of how to hunt for threats with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk Phantom to hunt for threats?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Threat hunting can be repetitive. Use the Splunk Phantom Recorded Future Threat Hunting playbook to automate threat hunting so you can enrich threat data or leverage network data to perform deeper investigations.

Load data

How to implement: To run the Splunk Phantom Recorded Future Threat Hunting playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests anti-virus, anti-malware, DLP, host-based IDS, IDS, or IPS events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Recorded Future Threat Hunting playbook uses endpoint detection and response tools to hunt for threat indicators in the environment. The playbook provides additional actions you can use to obtain more information about the threats and further investigate any malicious files you discover.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for recorded_future_threat_hunting.

How to respond: Investigate any malicious connections or files in the environment you discover during threat hunting. You can configure the Recorded Future Threat Hunting playbook to perform investigative actions that enrich threat intelligence data before hunting for it. You can also use the threat hunting playbook in conjunction with other playbooks.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Threat hunting can be repetitive. Use the Splunk Phantom Recorded Future Threat Hunting playbook to automate threat hunting so you can enrich threat data or leverage network data to perform deeper investigations.

Load data

How to implement: To run the Splunk Phantom Recorded Future Threat Hunting playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests anti-virus, anti-malware, DLP, host-based IDS, IDS, or IPS events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom Recorded Future Threat Hunting playbook uses endpoint detection and response tools to hunt for threat indicators in the environment. The playbook provides additional actions you can use to obtain more information about the threats and further investigate any malicious files you discover.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for recorded_future_threat_hunting.

How to respond: Investigate any malicious connections or files in the environment you discover during threat hunting. You can configure the Recorded Future Threat Hunting playbook to perform investigative actions that enrich threat intelligence data before hunting for it. You can also use the threat hunting playbook in conjunction with other playbooks.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...