View our Tech Talk: Security Edition, Risk Based Alerting at Machine Speed with Splunk Phantom
Security Operations Centers are being inundated with low-fidelity alerts, making it hard for analysts to respond in a timely manner. Day after day, this results in a pile up of abandoned cases. Splunk Enterprise Security, using Risk Based Alerting (RBA) functionality, reduces the quantity of alerts so you can focus on the threats that matter. The resulting high-fidelity alerts provide your team with valuable pieces of context to improve investigations that you need to respond to quickly.
That’s where Splunk Phantom comes in. Phantom’s SOAR capabilities combined with RBA allow you to quickly gather necessary context of a security event. A risk-based alert may contain any number of anomalous events correlated together. Phantom is used to investigate all of those anomalies simultaneously. Indicators of compromise like IPs, domains, URLs, and hashes can be queued up for automatic blocking. The risky device or user in your environment can also be automatically quarantined or disabled to buy investigators valuable time.
Tune in to this Tech Talk to learn how to:
- Incorporate threat indicators to your RBA strategy
- Build an extensible Phantom playbook framework for new use-cases
- Automate analyst information gathering steps
- Link together multiple response plans
Tech Talk discussions will remain open for 2 weeks after the live talk. You can continue the conversation within Splunk Answers under the tag Phantom
