Splunk SOAR (f.k.a. Phantom)

Example of how to prompt an analyst to block an endpoint with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk Phantom to prompt an analyst to block an endpoint?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Configure the Splunk Phantom User Prompt and Block Domain playbook to prompt you about whether or not to block an endpoint based on the information returned from a domain reputation check. You can expand this playbook to take action automatically based on certain scores and receive a prompt only for anything in a gray area.

Load data

How to implement: To run the Splunk Phantom User Prompt and Block Domain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests web proxy server events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom User Prompt and Block Domain playbook uses a reputation check to determine the risk level of a domain. If an incident occurs in a domain with a high reputation score, Splunk Phantom prompts a user for approval, then blocks the domain for 60 minutes after the user gives approval.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for user_prompt_and_block_domain.

How to respond: You can expand this playbook to take action automatically based on certain scores and only receive a prompt for anything in a gray area. You can also expand this playbook to support other types of data, such as hashes or IP addresses.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Configure the Splunk Phantom User Prompt and Block Domain playbook to prompt you about whether or not to block an endpoint based on the information returned from a domain reputation check. You can expand this playbook to take action automatically based on certain scores and receive a prompt only for anything in a gray area.

Load data

How to implement: To run the Splunk Phantom User Prompt and Block Domain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests web proxy server events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom User Prompt and Block Domain playbook uses a reputation check to determine the risk level of a domain. If an incident occurs in a domain with a high reputation score, Splunk Phantom prompts a user for approval, then blocks the domain for 60 minutes after the user gives approval.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for user_prompt_and_block_domain.

How to respond: You can expand this playbook to take action automatically based on certain scores and only receive a prompt for anything in a gray area. You can also expand this playbook to support other types of data, such as hashes or IP addresses.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...