Skip to main content
Splunk Lantern

Getting started with Splunk Phantom

Product feature overview

Main dashboard

Splunk Phantom’s Main Dashboard provides an overview of all your data and activity; notable events and their severity; playbooks; connections with other security tools; team workloads; and a summary of ROI from automated actions.

Playbooks

Playbooks automate security actions at machine speed. Playbooks execute a series of actions across your tools in seconds, versus hours or longer if performed manually. For instance, a playbook can tell your sandbox to detonate a suspected malicious file, while also telling your endpoint security tool to quarantine a device.

Apps

Apps are the integration points between Splunk Phantom and your other security technologies. Through Apps, Phantom directs your other security tools to perform “actions.” Phantom’s App model supports 300+ tools and 2000+ APIs, so you can connect and coordinate workflows across your team and tools.

Event management

Analysts are often overwhelmed with a large volume of security events. Phantom makes event management easy by consolidating all events (from multiple sources) in one place. Analysts can sort and filter events to quickly identify high fidelity notable events and prioritize action.

Case management

Integrated case management allows you to easily promote a verified event to a case. It also allows continued access to all tools, features and data available in one interface. Case Management supports case tasks that map to your defined Standard Operating Procedures (SOPs). It also provides full access to the Phantom automation engine, allowing you to launch actions and playbooks as part of a task.

Phantom on Splunk Mobile

Security orchestration, automation and response is available from your mobile device. Work smarter, respond faster and strengthen your defenses, all from the palm of your hand. Respond to events faster than ever because, via your mobile device, you’re reachable from anywhere. Run playbooks, triage events and collaborate with colleagues on the go.

Getting started with playbooks

AWS IAM find and disable inactive users

This playbook finds AWS user accounts that have the password last used “older than 90 days”, followed by a second playbook that disables the users identified from the first playbook.

Splunk Lantern also features a use case for this playbook that explains more about how to use it.

Malware triage using Crowdstrike Falcon endpoint security

The combination of Crowdstrike and Splunk Phantom allows for a more smooth operational flow from detecting endpoint security alerts to operationalizing threat intelligence and automatically taking the first few response steps. This out-of-the-box playbook triages malware detections from Crowdstrike and automates a variety of responses based on an informed decision by an analyst.

Splunk Lantern also features a use case for this playbook that explains more about how to use it.

  • Was this article helpful?