Splunk Tech Talks
Deep-dives for technical practitioners.

Understanding Phantom’s Join Logic

Splunk Employee
Splunk Employee

Join us on December 15th for our Tech Talk: Security Edition, Understanding Phantom’s Join Logic.

Playbooks allow analysts to automate everyday security tasks and save time. Oftentimes, these playbooks are simple: run a query or complete a single action. However, playbooks can also be very complex. As that complexity grows, there’s a need for more advanced features of playbook design to be considered to ensure they run effectively. One of the ways to do this is to take a look at how parallel action blocks are set to re-join each other to continue processing. Have your complex playbooks ever stopped running unexpectedly after parallel single actions? That’s probably because of your ‘join’ settings. This talk will explain how Phantom’s 'join' logic works, and tips for writing effective and error-free playbooks.

Tune in to learn:

  • What may cause a playbook to stop running unexpectedly and how to fix it
  • How to use the join logic effectively 
  • How to properly use Phantom join logic in a live demo
Tags (2)