What is Splunk Phantom (Renamed to Splunk SOAR)?

Differences Between Splunk SOAR and Splunk Phantom

Splunk Phantom was renamed to SOAR and is now delivered as a cloud-based service. While Splunk SOAR is similar to Phantom, there are differences in both architecture and functionality. For those familiar with the original Phantom solution, here are the key differences:

Splunk SOAR Architecture

Splunk SOAR works by first connecting to third-party sources using connectors called apps. Admins can configure apps and owners can manage them.

The solution ingests security events into containers. Events may contain IP addresses, email headers, and file hashes stored as artifacts inside containers. You can promote containers to a case consolidating multiple containers, and workbooks can help you define how to manage containers and cases. You can also use playbooks to automate actions.

Splunk SOAR tightly integrates with Splunk Enterprise Security. Learn more in our detailed guide.

Splunk SOAR Features and Capabilities

Apps

In Splunk SOAR, an app establishes connectivity with third-party security products and services. It enables Splunk SOAR to access and run third part actions. Certain apps also provide a visual component like a widget that can help render app data.

Here are three key Splunk SOAR apps:

• MaxMind—lets you use an action to locate an IP address’s geographical location.

• PhishTank—lets you use an action to find a URL’s reputation.

• Palo Alto Networks (PAN) Firewall—lets you use several actions, including blocking and unblocking access to applications, URLs, and IP addresses.

App Editor

Splunk SOAR provides the App Editor interface to help you quickly and easily create, test, and edit apps. You can use the App Editor to view and add code, see log results, test actions, and troubleshoot.

Asset

In Splunk SOAR, an asset is an app instance representing a virtual or physical device, such as a router, firewall, endpoint, or server. Splunk SOAR lets you set up an asset and specify connection details for this firewall. If the environment includes multiple firewalls, you can set up one asset per firewall.

Container

A Splunk SOAR container is a security event ingested from a third-party source. All containers are assigned labels, which enable Splunk to group related containers. The default label of containers is Events.

Case

A case in Splunk SOAR is a container that holds several containers. A case can help you consolidate multiple events into one incident that you can investigate as a whole. For example, after locating several related containers, you can promote one container to a case and add all other related containers.

Playbooks

Splunk SOAR employs playbooks to automate IT and security actions at machine speed. Here are key benefits of Splunk SOAR playbooks:

• Automated action—playbooks can execute a sequence of actions across several tools in seconds, whereas manually performing these actions can take hours or more.

• Pre-made playbooks—Splunk SOAR includes 100 pre-made playbooks that you can use to start automating your security tasks quickly.

• A visual playbook editor—enables you to easily create, edit, implement, and scale playbooks to help you eliminate the grunt work usually plaguing security analysts.

Visual Playbook Editor + Input Playbooks

Splunk SOAR provides a visual playbook editor that lets you easily create, edit, implement, and scale automated playbooks. It aims to eliminate security analysis grunt work and enable incident response at machine speed.

For example, you can use the editor to build an input playbook that automates simple security and IT tasks. You can use it as part of larger playbooks when establishing a modular automation approach.

Case Management

Splunk SOAR provides workbooks for case management. A workbook enables you to codify a standard operating procedure into a reusable template. You can use it to divide tasks into phases, document your work, and assign tasks to collaborators. It also lets you use custom workbooks alongside industry-standard workbooks like the NIST-800 template for incident response.

Event Management

Splunk SOAR consolidates events ingested from multiple sources into one location. This level of consolidation enables analysts to filter and sort all events to identify high-fidelity events and prioritize action quickly.

Custom Functions

Splunk SOAR lets you use custom functions to share custom code across playbooks while introducing complex data objects into the execution path. These out-of-the-box custom blocks can help save time and effort, allowing you to scale your automation without coding it.