Splunk SOAR

Example of how to automatically contain malicious insiders with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee

Does anyone have examples of how to use Splunk Phantom to automatically contain malicious insiders?

Labels (1)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


An insider threat can come from current employees , contractors, and even former employees whose accounts are still active. Use the Splunk Phantom Malicious Insider Containment playbook to detect and review suspicious behavior and user information, and then decide how to handle the alert.

Load data

How to implement: To run the Splunk Phantom Malicious Insider Containment Phantom playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests AWS and audit trail events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

An alert that contains a user account with a certain profile prompts you to review information about the user and decide how to proceed.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for malicious_insider_containment.

How to respond: By default, The Splunk Phantom Malicious Insider Containment playbook is configured with actions for Active Directory. You can modify it to support investigating users in other systems, such as AWS.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.


An insider threat can come from current employees , contractors, and even former employees whose accounts are still active. Use the Splunk Phantom Malicious Insider Containment playbook to detect and review suspicious behavior and user information, and then decide how to handle the alert.

Load data

How to implement: To run the Splunk Phantom Malicious Insider Containment Phantom playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests AWS and audit trail events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

An alert that contains a user account with a certain profile prompts you to review information about the user and decide how to proceed.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for malicious_insider_containment.

How to respond: By default, The Splunk Phantom Malicious Insider Containment playbook is configured with actions for Active Directory. You can modify it to support investigating users in other systems, such as AWS.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...