Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Splunk Phantom is a Security Orchestration, Automation, and Response (SOAR) system. The Splunk Phantom platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
This diagram shows the end-to-end flow of security automation in Splunk Phantom. See the table immediately following the diagram for more information about each Splunk Phantom component in the diagram.
Component | Description |
---|
App | Adds connectivity to third-party security technologies. The connections allow Splunk Phantom to access and run actions that are provided by the third-party technologies. Some apps also provide a visual component such as widgets that can be used to render data produced by the app. The diagram shows three apps in a Splunk Phantom environment:
- The MaxMind app provides an action to find the geographical location of an IP address.
- The PhishTank app provides an action to find the reputation of a URL.
- The Palo Alto Networks (PAN) Firewall app provides several actions, such as blocking and unblocking access to IP addresses, applications, and URLs.
See Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual. |
Asset | A specific instance of an app. Each asset represents a physical or virtual device within your organization such as a server, endpoint, router, or firewall. For example, you might have a Palo Alto Network (PAN) firewall app that connects the firewall to Splunk Phantom. You can configure an asset with the specific connection details for this firewall. If your environment has multiple firewalls, you can configure one asset for each firewall. The diagram shows one MaxMind asset, one PhishTank asset, and two PAN firewall assets. The PAN assets have different version numbers, which is the reason for having two assets.
See Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual. |
Container | A security event that is ingested into Splunk Phantom. Containers have the default label of Events. Labels are used to group related containers together. For example, containers from the same asset can all have the same label. You can then run a playbook against all containers with the same label.
You can create custom labels in Splunk Phantom as needed. See Configure labels to apply to containers in the Administer Splunk Phantom manual. |
Case | A special kind of container that can hold other containers. For example, if you have several closely related containers for a security incident, you can promote one of those containers to a case and then add the other related containers to the case. Doing this lets you consolidate your investigation rather than having to investigate each container individually. See Overview of cases.
|
Artifact | A piece of information added to a container, such as a file hash, IP address, or email header. |
Indicator or Indicator of Compromise (IOC) | A piece of data such as an IP address, host name, or file hash that populates the Common Event Format (CEF) fields in an artifact. Indicators are the smallest unit of data that can be acted upon in Splunk Phantom. |
Playbook | Defines a series of automation tasks that act on new data entering Splunk Phantom. For example, you can configure a playbook to run actions against all new containers with a specific label. Or you can configure running a playbook as part of the workflow in a workbook. In the diagram, two playbooks are configured:
- Playbook 1 runs actions from the MaxMind and PAN Firewall version 2.7 assets whenever a new container is created in Splunk Phantom.
- Playbook 2 runs actions from the PhishTank and PAN Firewall version 3.0 assets whenever a specific workbook is used in a case.
See Use playbooks to automate analyst workflows in Splunk Phantom in the Build Playbooks with the Visual Editor manual. |
Workbook | A template providing a list of standard tasks that analysts can follow when evaluating containers or cases. See Define a workflow in a case using workbooks in Splunk Phantom.
|
Action | A high level primitive used throughout the Splunk Phantom platform, such as get process dump, block ip, suspend vm, or terminate process. Actions are run in playbooks or manually from the Splunk Phantom web interface. Actions are made available to Splunk Phantom by apps. See Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual.
|
Owner | The person responsible for managing assets in your organization. Owners receive approvals, which are requests to run a particular action on an asset. Approvals are sent to the asset owners and contain a service level agreement (SLA) dictating the expected response time. SLAs can be set on events, phases, and tasks.- See Configure approval settings for a Splunk Phantom asset in the Administer Splunk Phantom manual.
- See Configure the response times for service level agreements in the Administer Splunk Phantom manual for more information about configuring SLAs.
|
FAQs
Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution.
What are the three types of Splunk authentication? ›
Splunk internal authentication with role-based user access. Lightweight directory access protocol (LDAP) A scripted authentication API for use with an external authentication system, such as privileged access management (PAM) or remote authentication dial-in user server (RADIUS) Multifactor authentication.
What is Phantom in cybersecurity? ›
Phantom Cyber Security utilizes artificial intelligence (AI) techniques to predict, detect, and mitigate cyber threats. Automation plays a pivotal role in the function of phantom approaches to cybersecurity.
What is the difference between Splunk Enterprise and Splunk ITSI? ›
Splunk Enterprise is the core product most of us use when we use "Splunk". It's the tool that indexes your machine data and helps you search it and draw value from it. ITSI (IT Service Intelligence) is an app that plugs into Splunk Enterprise.
What are the four stages of Splunk? ›
Today, Splunk has become a platform that allows users to make proper decisions based on a large amount of information. Splunk comprises various components: data collection, indexing, searching, reporting, and visualization. These components work together to provide users with a comprehensive data view.
What is Phantom tool? ›
Phantom is a security orchestration, automation, and response (SOAR) platform designed to streamline and automate security operations and incident response processes. It enables security teams to connect and orchestrate their existing security tools, automate repetitive tasks, and respond to incidents more efficiently.
What are the 3 modes in Splunk search? ›
search mode
A setting that optimizes your search performance by controlling the amount or type of data that the search returns. Search mode has three settings: Fast, Verbose, and Smart. Fast mode speeds up searches by limiting the types of data returned by the search.
What are the three main Splunk components? ›
Splunk Components. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head.
What are the 4 general forms of authentication? ›
The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.
What is phantom used for? ›
An imaging phantom or “phantom” is a scientific device that is often used in the biomedical research community. A phantom is a specially designed object that is utilized as a “stand-in” for human tissue and can be scanned or imaged to evaluate, analyze, and fine-tune the performance of an imaging device.
Phantoms were originally employed for use in 2D x-ray based imaging techniques such as radiography or fluoroscopy, though more recently phantoms with desired imaging characteristics have been developed for 3D techniques such as SPECT, MRI, CT, Ultrasound, PET, and other imaging methods or modalities.
What is phantom also known as? ›
fictional character. Also known as: The Ghost Who Walks.
What is replacing Splunk? ›
There are several alternatives to Splunk, including SigNoz, Graylog, Loggly, Dynatrace, New Relic, Datadog, Logz.io, Logstash, Fluentd, AppDynamics, and Mezmo.
What is Splunk secret? ›
The splunk. secret file is located in the $SPLUNK_HOME/etc/auth directory. It is used to encrypt and decrypt the passwords in the Splunk configuration files. If the splunk. secret file is removed, a new one is automatically generated.
What are the 4 types of searches in Splunk by performance? ›
How search types affect Splunk Enterprise performance
Search type | Ref. indexer throughput | Performance impact |
---|
Dense | Up to 50,000 matching events per second. | CPU-bound |
Sparse | Up to 5,000 matching events per second. | CPU-bound |
Super-sparse | Up to 2 seconds per index bucket. | I/O bound |
Rare | From 10 to 50 index buckets per second. | I/O bound |
What is the phantom drone used for? ›
Phantom FC40
Using a 2.4 GHz Wi-Fi connection, it provides almost real-time aerial video on a mobile device, allowing the pilot to capture images and videos as is. However, the FPV range was limited by the signal quality of the mobile device as the connection between the two devices was made directly.
What is the difference between selenium and phantom? ›
Differences Between Selenium vs PhantomJS. Although both Selenium and PhantomJS are open-source options for automation testing, Selenium is much more competent in functional validation for web application testing. PhantomJS is suitable at most for Smoke testing and Sanity testing.
What is the phantom haptic device used for? ›
The PHANToM tracks the motion of the user's finger tip and can actively exert an external force on the finger, creating compelling illusions of interaction with solid physical objects.