Splunk Phantom Integration: Maximizing Automation for Incident Detection and Remediation

However, in our interactions with customers, we are finding a great deal of frustration for organizations that have rolled out SOARs.  Much of this frustration comes from the inability of the SOAR to digest the volume of data and alerts that are generated from various sensors in the environment.  Not to mention the correlation and decision-making that needs to happen to find malicious behavior.  When this occurs, organizations miss out on the automation benefits, particularly for incident remediation, that SOAR was meant to address in the first place.

Exacerbating this frustration is the sheer amount of time, effort and cost it takes to write playbooks for automated incident remediation.  Additionally, playbooks must be maintained over time to keep up with the latest Tactics, Techniques and Procedures (TTP) that are constantly changing.  However, if the SOAR isn’t finding the incidents or cannot monitor the data at scale (as is necessary), those playbooks that automate remediation are of little value.

As we announced last fall, the Respond Analyst integrates with Splunk Phantom.  This integration allows Respond to take the heavy lifting of front-end alert monitoring, triage and scoping off of Phantom.  Once incidents are identified and false positives are discarded, the Respond Analyst forwards only the malicious incidents that require remediation.  From there, Phantom will automate remediation actions to close the incident.

Unlocking SOAR with eXtended Detection and Response (XDR)

Sponsorships Available

Sponsorships Available

Sponsorships Available

The Respond Analyst, an XDR Engine from Respond Software, enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis and triage of events before they are passed to the SOAR system. The Respond Analyst is scalable to handle millions of events, escalating actionable and malicious incidents into SOAR for remediation, while filtering out false positives. However, unlike SOAR, the Respond Analyst does not require coding, customization or maintenance over time, therefore, time to value can be recognized in hours. Leveraging the Respond Analyst with SOAR reduces attack dwell time, remediates security issues faster through additional automation, and elevates analyst collaboration.

The Respond Analyst and Splunk Phantom Integration – how it works

When the Respond Analyst escalates an incident, it will also create a new Phantom Container.  A clickable link to the Phantom container is added to the incident in the Respond Analyst console.  Additionally, every escalated event associated with an incident is pushed to the Phantom Container as an artifact.