Splunk Tech Talks
Deep-dives for technical practitioners.

Risk Based Alerting at Machine Speed with Splunk Phantom

melissap
Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Risk Based Alerting at Machine Speed with Splunk Phantom 

Security Operations Centers are being inundated with low-fidelity alerts, making it hard for analysts to respond in a timely manner. Day after day, this results in a pile up of abandoned cases. Splunk Enterprise Security, using Risk Based Alerting (RBA) functionality, reduces the quantity of alerts so you can focus on the threats that matter. The resulting high-fidelity alerts provide your team with valuable pieces of context to improve investigations that you need to respond to quickly. 

That’s where Splunk Phantom comes in. Phantom’s SOAR capabilities combined with RBA allow you to quickly gather necessary context of a security event. A risk-based alert may contain any number of anomalous events correlated together. Phantom is used to investigate all of those anomalies simultaneously. Indicators of compromise like IPs, domains, URLs, and hashes can be queued up for automatic blocking. The risky device or user in your environment can also be automatically quarantined or disabled to buy investigators valuable time.

Tune in to this Tech Talk to learn how to:

  • Incorporate threat indicators to your RBA strategy
  • Build an extensible Phantom playbook framework for new use-cases
  • Automate analyst information gathering steps
  • Link together multiple response plans

Tech Talk discussions will remain open for 2 weeks after the live talk. You can continue the conversation within Splunk Answers under the tag Phantom

Tags (1)
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...