What is Splunk Phantom (Renamed to Splunk SOAR)?
What is Splunk Phantom, Renamed to Splunk SOAR?
Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate and remediate threats programmatically.
Splunk SOAR provides security infrastructure orchestration, case management, playbook automation, and integrated threat intelligence. The solution can ingest security events from various sources, letting you track, analyze, and triage events, and use playbooks to automate responses from one interface.
This is part of our series of articles about Splunk SIEM.
Differences Between Splunk SOAR and Splunk Phantom
Splunk Phantom was renamed to SOAR and is now delivered as a cloud-based service. While Splunk SOAR is similar to Phantom, there are differences in both architecture and functionality. For those familiar with the original Phantom solution, here are the key differences:
Applications and Connectors
Used a plugin architecture that allowed you to develop custom connectors.
Comes with over 100 built-in apps / connectors for security and IT systems.
Relies on on-premises equipment and requires dedicated storage.
Provides 600 GB of disk space and another 600 GB storage for its PostgreSQL database.
Enables CLI access.
No CLI access—you can access self-service capabilities via the graphic UI, or submit a support ticket for infrastructure issues.
Provides REST API endpoints for all key functionality.
Supports a subset of Phantom REST APIs, as detailed in the documentation.
Supports the legacy Splunk Connected Experience mobile apps.
Supports mobile devices via the new Splunk Mobile App.
Python Scripting for Playbooks
Supports Python 2 scripting.
Supports Python 3.6.13 and upwards.
Does not support SAML2 for authentication.
Splunk SOAR Architecture
Splunk SOAR works by first connecting to third-party sources using connectors called apps. Admins can configure apps and owners can manage them.
The solution ingests security events into containers. Events may contain IP addresses, email headers, and file hashes stored as artifacts inside containers. You can promote containers to a case consolidating multiple containers, and workbooks can help you define how to manage containers and cases. You can also use playbooks to automate actions.
Splunk SOAR tightly integrates with Splunk Enterprise Security. Learn more in our detailed guide.
Splunk SOAR Features and Capabilities
In Splunk SOAR, an app establishes connectivity with third-party security products and services. It enables Splunk SOAR to access and run third part actions. Certain apps also provide a visual component like a widget that can help render app data.
Here are three key Splunk SOAR apps:
MaxMind—lets you use an action to locate an IP address’s geographical location.
PhishTank—lets you use an action to find a URL’s reputation.
Palo Alto Networks (PAN) Firewall—lets you use several actions, including blocking and unblocking access to applications, URLs, and IP addresses.
Splunk SOAR provides the App Editor interface to help you quickly and easily create, test, and edit apps. You can use the App Editor to view and add code, see log results, test actions, and troubleshoot.
In Splunk SOAR, an asset is an app instance representing a virtual or physical device, such as a router, firewall, endpoint, or server. Splunk SOAR lets you set up an asset and specify connection details for this firewall. If the environment includes multiple firewalls, you can set up one asset per firewall.
A Splunk SOAR container is a security event ingested from a third-party source. All containers are assigned labels, which enable Splunk to group related containers. The default label of containers is Events.
A case in Splunk SOAR is a container that holds several containers. A case can help you consolidate multiple events into one incident that you can investigate as a whole. For example, after locating several related containers, you can promote one container to a case and add all other related containers.
Splunk SOAR employs playbooks to automate IT and security actions at machine speed. Here are key benefits of Splunk SOAR playbooks:
Automated action—playbooks can execute a sequence of actions across several tools in seconds, whereas manually performing these actions can take hours or more.
Pre-made playbooks—Splunk SOAR includes 100 pre-made playbooks that you can use to start automating your security tasks quickly.
A visual playbook editor—enables you to easily create, edit, implement, and scale playbooks to help you eliminate the grunt work usually plaguing security analysts.
Visual Playbook Editor + Input Playbooks
Splunk SOAR provides a visual playbook editor that lets you easily create, edit, implement, and scale automated playbooks. It aims to eliminate security analysis grunt work and enable incident response at machine speed.
For example, you can use the editor to build an input playbook that automates simple security and IT tasks. You can use it as part of larger playbooks when establishing a modular automation approach.
Splunk SOAR provides workbooks for case management. A workbook enables you to codify a standard operating procedure into a reusable template. You can use it to divide tasks into phases, document your work, and assign tasks to collaborators. It also lets you use custom workbooks alongside industry-standard workbooks like the NIST-800 template for incident response.
Splunk SOAR consolidates events ingested from multiple sources into one location. This level of consolidation enables analysts to filter and sort all events to identify high-fidelity events and prioritize action quickly.
Splunk SOAR lets you use custom functions to share custom code across playbooks while introducing complex data objects into the execution path. These out-of-the-box custom blocks can help save time and effort, allowing you to scale your automation without coding it.