Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Example of how to determine if an IP address is malicious with Splunk Phantom?

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:29 PM

Does anyone have examples of how to use Splunk Phantom to determine if an IP address is malicious?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:30 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security teams can use the Splunk Phantom IP Investigate and Report playbook to assess whether an IP address is malicious, and investigate which domains involve that IP address. The playbook uses an IP address to perform a number of investigative steps before it sends you an email notification.

Load data

How to implement: To run the Splunk Phantom IP Investigate and Report playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests network communication events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom IP Investigate and Report playbook playbook executes multiple investigative actions to determine if an IP address is malicious, and sends a summary of the output in an email. The playbook will also attempt to find any malicious domains associated with an IP address.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for ip_investigate_and_report.

How to respond: Investigate alerts to get additional context and information about the artifacts surrounding an IP address using the ingested alerts. You can use this data with other playbooks to take action or to automate threat hunting. Consider adding a sandbox action to visit and get further details from any domains discovered. You can also use data from this playbook in Splunk searches.

Help

For more support, post a question to the Splunk Answers community.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎01-30-2020 02:30 PM

The Splunk Product Best Practices team helped produce this response. Read more about example use cases in the Splunk Platform Use Cases manual.

For more information on this and other examples, download the free Splunk Security Essentials app on Splunkbase.

Security teams can use the Splunk Phantom IP Investigate and Report playbook to assess whether an IP address is malicious, and investigate which domains involve that IP address. The playbook uses an IP address to perform a number of investigative steps before it sends you an email notification.

Load data

How to implement: To run the Splunk Phantom IP Investigate and Report playbook, you need a Splunk Enterprise instance from which Phantom can draw data that ingests network communication events.

Although there are several ways to get data into Phantom, this example uses the Phantom App for Splunk on Splunkbase. Verify that the playbook is configured to operate on splunk_events.

Before you run the playbook, verify that Splunk Phantom is receiving data from Splunk Enterprise. Also, verify your asset configurations on the Phantom Asset Configuration page, and that all assets are resolved on the Phantom Resolved Assets page.

Get insights

The Splunk Phantom IP Investigate and Report playbook playbook executes multiple investigative actions to determine if an IP address is malicious, and sends a summary of the output in an email. The playbook will also attempt to find any malicious domains associated with an IP address.

To find the playbook, go to the Phantom main menu, select Playbooks, and search for ip_investigate_and_report.

How to respond: Investigate alerts to get additional context and information about the artifacts surrounding an IP address using the ingested alerts. You can use this data with other playbooks to take action or to automate threat hunting. Consider adding a sandbox action to visit and get further details from any domains discovered. You can also use data from this playbook in Splunk searches.

Help

For more support, post a question to the Splunk Answers community.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...