Splunk SOAR

Example of how to investigate and contain ransomware with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk Phantom to investigate and contain ransomware?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Detect and react to ransomware to limit damage to your network with the Splunk Phantom Ransomware Investigate and Contain playbook. You can configure this playbook to automate the entire incident response process so you can find and quarantine additional infected hosts.

This playbook also hunts for additional infected hosts using any observed file hashes.

Load data

How to implement: To run the Splunk Phantom Ransomware Investigate and Contain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests anti-virus or anti-malware events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

Use the Splunk Phantom Ransomware Investigate and Contain playbook to detects the presence of ransomware in the environment. You can investigate a file using a sandbox, and if ransomware is present, immediately block network communications and quarantine devices.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for user_prompt_and_block_domain.

How to respond: When potential ransomware is detected, use this playbook to investigate. You can configure the playbook to automatically take action to quarantine a device and block network communications.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


Detect and react to ransomware to limit damage to your network with the Splunk Phantom Ransomware Investigate and Contain playbook. You can configure this playbook to automate the entire incident response process so you can find and quarantine additional infected hosts.

This playbook also hunts for additional infected hosts using any observed file hashes.

Load data

How to implement: To run the Splunk Phantom Ransomware Investigate and Contain playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests anti-virus or anti-malware events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

Use the Splunk Phantom Ransomware Investigate and Contain playbook to detects the presence of ransomware in the environment. You can investigate a file using a sandbox, and if ransomware is present, immediately block network communications and quarantine devices.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for user_prompt_and_block_domain.

How to respond: When potential ransomware is detected, use this playbook to investigate. You can configure the playbook to automatically take action to quarantine a device and block network communications.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...