Splunk Tech Talks
Deep-dives for technical practitioners.

Risk Based Alerting at Machine Speed with Splunk Phantom

Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Risk Based Alerting at Machine Speed with Splunk Phantom 

Security Operations Centers are being inundated with low-fidelity alerts, making it hard for analysts to respond in a timely manner. Day after day, this results in a pile up of abandoned cases. Splunk Enterprise Security, using Risk Based Alerting (RBA) functionality, reduces the quantity of alerts so you can focus on the threats that matter. The resulting high-fidelity alerts provide your team with valuable pieces of context to improve investigations that you need to respond to quickly. 

That’s where Splunk Phantom comes in. Phantom’s SOAR capabilities combined with RBA allow you to quickly gather necessary context of a security event. A risk-based alert may contain any number of anomalous events correlated together. Phantom is used to investigate all of those anomalies simultaneously. Indicators of compromise like IPs, domains, URLs, and hashes can be queued up for automatic blocking. The risky device or user in your environment can also be automatically quarantined or disabled to buy investigators valuable time.

Tune in to this Tech Talk to learn how to:

  • Incorporate threat indicators to your RBA strategy
  • Build an extensible Phantom playbook framework for new use-cases
  • Automate analyst information gathering steps
  • Link together multiple response plans

Tech Talk discussions will remain open for 2 weeks after the live talk. You can continue the conversation within Splunk Answers under the tag Phantom

Tags (1)
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...