Splunk Phantom APP

 Splunk Phantom 

Splunk Phantom

Splunk Phantom APP is a Security Orchestration, Automation, and Response (SOAR) system. The Splunk Phantom platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats. This diagram shows the end-to-end flow of security automation in Splunk Phantom. See the table immediately following the diagram for more information about each Splunk Phantom component in the diagram. 

Close your security skills gap by force multiplying your security operations efforts 

  • Integrate your team, processes and tools for greater SOC efficiency
  • Supercharge your SOC with advanced orchestration, automation and response capabilities


Security teams are working hard identifying, analyzing and mitigating threats facing their organizations. 


These teams are also struggling with an endless assembly line of point products and independent static security controls with no orchestration between them. Add the fact that most companies do not have enough security personnel to analyze their volume of daily security alerts, and the result is a growing backlog of security incidents. Organizations want to better leverage existing resources by deploying tools that maximize efficiency and scale, while creating a unified defense system that is greater than the sum of its parts. Splunk® Phantom provides security orchestration, automation and response (SOAR) capabilities that allow analysts to improve efficiency and shorten incident response times. Phantom supercharges the scalability, performance and speed of your security automation with the ability to process 50,000 security events per hour. With Phantom, organizations are able to improve security and better manage risk by integrating teams, processes and tools together. Security teams can automate tasks, orchestrate workflows and support a broad range of security operations center (SOC) functions including event and case management, collaboration and reporting. 


SOC Automation 

Phantom enables teams to work smarter by executing automated actions across their security infrastructure in seconds, versus hours or more if performed manually. Teams can codify workflows into Phantom’s automated playbooks using the visual editor (no coding required) or the integrated Python development environment. By offloading these repetitive tasks, teams can focus their attention on making the most mission-critical decisions. 

Splunk Phantom APP



Phantom is the connective tissue that lets existing security tools work better together. By connecting and coordinating complex workflows across the SOC’s team and tools, Phantom ensures that each part of the SOC’s layered defense is actively participating in a unified defense strategy. Powerful abstraction allows teams to focus on what they need to accomplish, while the platform translates that into toolspecific actions. 


Incident Response 

Phantom helps security teams investigate and respond to threats faster. Using Phantom’s automated detection, investigation and response capabilities, teams can execute response actions at machine speed, reduce malware dwell time and lower their overall mean time to resolve (MTTR). And now with Phantom on Splunk Mobile, analysts can use their mobile device to respond to security incidents while on-the-go. Phantom’s event and case management functionality can further streamline security operations. Case-related data and activity are easily accessible from one central repository. It’s easy to chat with other team members about an event or case, and assign events and tasks to the appropriate team member. 


For more information, Splunk License
Component  Description 
App  Adds connectivity to third-party security technologies. The connections allow Splunk Phantom to access and run actions that are provided by the third-party technologies. Some apps also provide a visual component such as widgets that can be used to render data produced by the app. 

The diagram shows three apps in a Splunk Phantom environment: 

  • The MaxMind app provides an action to find the geographical location of an IP address. 
  • The PhishTank app provides an action to find the reputation of a URL. 
  • The Palo Alto Networks (PAN) Firewall app provides several actions, such as blocking and unblocking access to IP addresses, applications, and URLs. 

See Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual. 

Asset  A specific instance of an app. Each asset represents a physical or virtual device within your organization such as a server, endpoint, router, or firewall. For example, you might have a Palo Alto Network (PAN) firewall app that connects the firewall to Splunk Phantom. You can configure an asset with the specific connection details for this firewall. If your environment has multiple firewalls, you can configure one asset for each firewall. 

The diagram shows one MaxMind asset, one PhishTank asset, and two PAN firewall assets. The PAN assets have different version numbers, which is the reason for having two assets. 

See Add and configure apps and assets to provide actions in Splunk Phantom in the Administer Splunk Phantom manual. 

Container  A security event that is ingested into Splunk Phantom. 

Containers have the default label of Events. Labels are used to group related containers together. For example, containers from the same asset can all have the same label. You can then run a playbook against all containers with the same label. 

You can create custom labels in Splunk Phantom as needed. See Configure labels to apply to containers in the Administer Splunk Phantom manual. 

Case  A special kind of container that can hold other containers. For example, if you have several closely related containers for a security incident, you can promote one of those containers to a case and then add the other related containers to the case. Doing this lets you consolidate your investigation rather than having to investigate each container individually. 

See Overview of cases. 

Artifact  A piece of information added to a container, such as a file hash, IP address, or email header. 


Leave a Reply

Your email address will not be published.